Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import requests
- import base64
- import re
- import sys
- import urllib
- # URL = ''
- DEFAULT_PWD = "vnpt@security"
- def get_cookies(uname, passwd):
- return {"Authorization" : "Basic " + base64.b64encode("{}:{}".format(uname, passwd)),}
- def is_ip(string):
- return re.match("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$", string) is not None
- def is_url(string):
- return re.match("[http://|https://].+\..{2,4}", string) is not None
- def log_error(err):
- f = open("/root/Desktop/igate_error_log.txt", "a")
- #f = open("igate_error_log.txt", "a")
- f.write("{}\n".format(err))
- f.close()
- def log_success(url):
- f = open("/root/Desktop/igate_success_log.txt", "a")
- #f = open("igate_success_log.txt", "a")
- f.write("{}\n".format(url[7:]))
- f.close()
- def do_config(url):
- global new_pass
- # credentials = [('operator', DEFAULT_PWD)]
- credentials = [('operator', ['operator', 'oper@tor', 'vnpt@security']), ('admin', ['admin', 'vnpt@security'])]
- # Loop change password
- success = False
- print "[+] Processing {}".format(url)
- for cred in credentials:
- try:
- uname, passwords = cred[0], cred[1]
- logged_in = False
- for passwd in passwords:
- if logged_in:
- break
- cookies = get_cookies(uname, passwd)
- cj = requests.cookies.RequestsCookieJar()
- requests.utils.add_dict_to_cookiejar(cj, cookies)
- with requests.Session() as c:
- c.cookies = cj
- res = c.get(url)
- if "<!-- hide" in res.content:
- logged_in = True
- print "[i] Login successfully with {}".format(uname)
- # Change password
- c.get(url + "/password.cgi?inUserName={}&inPassword={}&inOrgPassword={}".format(uname, new_pass, passwd))
- print "Change {} password successfully".format(uname)
- if not success:
- success = True
- cj2 = requests.cookies.RequestsCookieJar()
- cookies = get_cookies(uname, new_pass)
- requests.utils.add_dict_to_cookiejar(cj2, cookies)
- except:
- pass
- if not success:
- print "[!] Can't login with default credentials"
- log_error("{}: Login failed".format(url[7:]))
- print "+-----------------+\n"
- return
- # Comment out this try catch block for debugging
- try:
- with requests.Session() as c:
- c.cookies = cj2
- # print requests.utils.dict_from_cookiejar(cj2)
- # Change DNS server
- dns_ifs = []
- dns_res = c.get(url + "/dnscfg.html").content
- v2 = False
- if dns_res == "":
- dns_res = c.get(url + "/dnsconfg.html").content
- v2 = True
- if dns_res != "":
- dns_ifs += (c.split('/')[1] for c in re.findall("var\s*interfaceInfo\s*=\s*'(.+?)';", dns_res)[0].split('|'))
- c_dns = [ifs for ifs in dns_ifs if "ppp" in ifs]
- if len(c_dns) != 0:
- # print "Select DNS: {}".format(c_dns[0])
- if not v2:
- c.get(url + "/dnscfg.cgi?dnsIfcsList={}&dnsPrimary=0.0.0.0&dnsSecondary=0.0.0.0&dnsRefresh=0&dns6Type=Static".format(c_dns[0]))
- else:
- c.get(url + "/dnsconfg.cgi?dnsIfcsList={}&dnsPrimary=0.0.0.0&dnsSecondary=0.0.0.0&dnsRefresh=0&dns6Type=Static".format(c_dns[0]))
- print "Change DNS successfully"
- else:
- print "DNS configuration not found"
- # Change TR-069 server
- tr_069_res = c.get(url + "/tr69cfg.html").content
- v2 = False
- if tr_069_res == "":
- v2 = True
- tr_069_res = c.get(url + "/tr69confg.html").content
- if tr_069_res != "":
- enblInform = re.findall("enblInform\s*=\s*'(\d{1})';", tr_069_res)[0]
- informInterval = re.findall("informInterval\.value\s*=\s*'(\d+)';", tr_069_res)[0]
- tr69cAcsUser = urllib.quote(re.findall("acsUser\.value\s*=\s*'(.*)';", tr_069_res)[0])
- tr69cAcsPwd = urllib.quote(re.findall("acsPwd\.value\s*=\s*'(.*)';", tr_069_res)[0])
- tr69cConnReqUser = urllib.quote(re.findall("connReqUser\.value\s*=\s*'(.*)';", tr_069_res)[0])
- tr69cConnReqPwd = urllib.quote(re.findall("connReqPwd\.value\s*=\s*'(.*)';", tr_069_res)[0])
- tr69cNoneConnReqAuth = re.findall("enblNoneConnReqAuth\s*=\s*'(\d{1})';", tr_069_res)[0]
- tr69cDebugEnable = re.findall("enblDebug\s*=\s*'(\d{1})';", tr_069_res)[0]
- tr69cBoundIfName = re.findall("var\s*boundIfName\s*=\s*'(.*)';", tr_069_res)[0]
- if v2:
- c.get(url + "/tr69confg.cgi?tr69cInformEnable={}&tr69cInformInterval={}&tr69cAcsURL=http://10.149.247.147:8091&tr69cAcsUser={}&tr69cAcsPwd={}&tr69cConnReqUser={}&tr69cConnReqPwd={}&tr69cNoneConnReqAuth={}&tr69cDebugEnable={}&tr69cBoundIfName={}".format(enblInform, informInterval, tr69cAcsUser, tr69cAcsPwd, tr69cConnReqUser, tr69cConnReqPwd, tr69cNoneConnReqAuth, tr69cDebugEnable, tr69cBoundIfName))
- else:
- c.get(url + "/tr69cfg.cgi?tr69cInformEnable={}&tr69cInformInterval={}&tr69cAcsURL=http://10.149.247.147:8091&tr69cAcsUser={}&tr69cAcsPwd={}&tr69cConnReqUser={}&tr69cConnReqPwd={}&tr69cNoneConnReqAuth={}&tr69cDebugEnable={}&tr69cBoundIfName={}".format(enblInform, informInterval, tr69cAcsUser, tr69cAcsPwd, tr69cConnReqUser, tr69cConnReqPwd, tr69cNoneConnReqAuth, tr69cDebugEnable, tr69cBoundIfName))
- print "Successfully change TR-069 server to default"
- else:
- print "TR-069 configuration not found"
- #return
- # Disable remote access via ssh and web for PPPoE interface
- ra_res = c.get(url + "/scinflt.cmd?action=remoteview").content
- ra_ifs = []
- ra_ifs += (c.split('/')[1] for c in re.findall("var\s*interfaceInfo\s*=\s*'(.+?)';", ra_res)[0].split('|'))
- ra_interface = [ifs for ifs in ra_ifs if "ppp" in ifs]
- if len(ra_interface) != 0:
- c.get(url + "/scinflt.cmd?action=remoteset&wanIf={0}&ipver=4&protocol=1&accesshttp=0&fltNamehttp=HTTP_{0}&dstPorthttp=80&accessssh=0&fltNamessh=SSH_{0}&dstPortssh=22".format(ra_interface[0]))
- print "Successfully disable remote access on PPPoE interface"
- # Enable firewall
- fw_res = c.get(url + "/wancfg.cmd").content
- fw_ifs = re.findall("<td align='center'><input type='button' onClick='editClick\(\"(.+?)\", \"", fw_res)
- if len(fw_ifs) != 0:
- i = [i for i in fw_ifs if "ppp" in i][0]
- res = c.get(url + "/wanL3Edit.cmd?serviceId=1&wanIfName={}&ntwkPrtcl=12".format(i)).content
- req1 = "/gponwan.cmd?action=add&ifname=veip0&wanIdx=2&connMode=1"
- c.get(url + req1)
- ppp_user = re.findall("pppUserName\.value\s*=\s*'(.+)';", res)[0]
- ppp_password = re.findall("pppPassword\.value\s*=\s*'(.+)';", res)[0]
- ppp_mtu = re.findall("pppMtuSize\.value\s*=\s*'(.+)';", res)[0]
- req2 = "/tempstore.cgi?wanL2IfName=veip0&enblEnetWan=0&ntwkPrtcl=12&enblIpVer=0&serviceName=pppoe_veip0&pppUserName={}&pppPassword={}&pppMTU={}ðMtu=1500".format(ppp_user, ppp_password, ppp_mtu)
- c.get(url + req2)
- enblNatppp = re.findall("var\s*natppp\s*=\s*'(\d{1})';", res)[0]
- enblOnDemand = re.findall("var\s*onDemand\s*=\s*'(\d{1})';", res)[0]
- enblFirewallppp = re.findall("var\s*firewallppp\s*=\s*'(\d{1})';", res)[0]
- pppTimeOut = re.findall("var\s*timeOut\s*=\s*'(\d{1})';", res)[0]
- enblIpAddr = re.findall("var\s*enblIpAddr\s*=\s*'(\d{1})';", res)[0]
- cfgL2tpAc = re.findall("var\s*cfgL2tpAc\s*=\s*'(\d{1})';", res)[0]
- localIpAddr = re.findall("var\s*localIpAddr\s*=\s*'(.+)';", res)[0]
- ipExtension = re.findall("var\s*ipExtension\s*=\s*'(\d{1})';", res)[0]
- enblFullconeNat = re.findall("var\s*fullconeNat\s*=\s*'(\d{1})';", res)[0]
- enblFirewall = 1
- authMethod = re.findall("var\s*authMethod\s*=\s*'(\d{1})';", res)[0]
- pppAuthErrorRetry = re.findall("var\s*pppAuthErrorRetry\s*=\s*'(\d{1})';", res)[0]
- enblPppDebug = re.findall("var\s*pppDebug\s*=\s*'(\d{1})';", res)[0]
- enblIgmp = re.findall("var\s*enableIgmp\s*=\s*'(\d{1})';", res)[0]
- enblGponWan = re.findall("var\s*enblGponWan\s*=\s*'(\d{1})';", res)[0]
- noMcastVlanFlt = re.findall("var\s*noMcastVlanFlt\s*=\s*'(\d{1})';", res)[0]
- if enblGponWan == '1':
- if noMcastVlanFlt == '1':
- noMcastVlanFilterNat = 1
- else:
- noMcastVlanFilterNat = 0
- if enblIpAddr == '1' and cfgL2tpAc != '1':
- useStaticIpAddress = 1
- pppLocalIpAddress = localIpAddr
- else:
- useStaticIpAddress = 0
- pppLocalIpAddress = localIpAddr
- req3 = "/tempstore.cgi?serviceId=1&wanL2IfName=veip0&wanIdx=2&enblEnetWan=0&ntwkPrtcl=12&enVlanMux=1&vlanMuxId=11&vlanMuxPr=0&vlanTpid=33024&enblIpVer=0&serviceName=pppoe_veip0&pppUserName={0}&pppPassword={1}&pppMTU={2}&enblOnDemand={3}&pppTimeOut={4}&useStaticIpAddress={5}&pppLocalIpAddress={6}&pppIpExtension={7}&enblNat={8}&enblFullcone={9}&enblFirewall={10}&pppAuthMethod={11}&pppAuthErrorRetry={12}&enblPppDebug={13}&pppToBridge=0&enblIgmp={14}&noMcastVlanFilter={15}&defaultGatewayList={16}&dnsIfcsList={16}&dnsPrimary=0.0.0.0&dnsSecondary=0.0.0.0&dnsRefresh=0".format(ppp_user, ppp_password, ppp_mtu, enblOnDemand, pppTimeOut, useStaticIpAddress, pppLocalIpAddress, 0, enblNatppp, enblFullconeNat, enblFirewall, authMethod, pppAuthErrorRetry, enblPppDebug, enblIgmp, noMcastVlanFilterNat, i)
- c.get(url + req3)
- req4 = "/wancfg.cmd?action=add&ifname=veip0&wanIdx=2&connMode=1"
- try:
- c.get(url + req4, timeout = 3)
- except:
- pass
- print "Successfully enable firewall"
- log_success("{}|{}".format(url, ppp_user))
- print "+-----------------+\n"
- except Exception as e:
- print "[!] Error: {}".format(str(e))
- log_error("{}: {}".format(ip, str(e)))
- print "+-----------------+\n"
- if __name__ == "__main__":
- credentials = [('operator', 'operator'), ('operator', 'oper@tor'), ('admin', 'admin')]
- # credentials = [('operator', DEFAULT_PWD), ('operator', 'oper@tor'), ('admin', 'admin')]
- if len(sys.argv) == 1:
- print "[!] Please specific file that contain ip to config"
- sys.exit(1)
- ips = open(sys.argv[1])
- try:
- new_pass = raw_input("Input new password, press [Enter] if you want to use the default: ")
- if new_pass == "":
- new_pass = DEFAULT_PWD
- for ip in ips:
- ip = ip.strip('/').strip()
- if not is_ip(ip) and not is_url(ip):
- print "[!] {} is not an valid IP address/url".format(ip)
- continue
- else:
- if is_url(ip):
- url = ip
- else:
- url = 'http://' + ip.strip()
- print "Trying: {}".format(url)
- try:
- res = requests.get(url, timeout=3).content
- except Exception as e:
- print "[!] Error: {}".format(str(e))
- print "[i] Skipping..."
- print "+-----------------+\n"
- log_error("{}: {}".format(ip, str(e)))
- continue
- if "iGate" and "GPON ONT" in res:
- do_config(url)
- else:
- print "[!] {} is not using ONU GPON iGate, skipping...".format(url)
- print "+-----------------+\n"
- log_error("{}: Not GPON igate".format(ip))
- except KeyboardInterrupt:
- print "[i] Canceled by user, exitting..."
- sys.exit()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement