API tools faq
paste
Guest User

Untitled

a guest
Aug 8th, 2018
122
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.32 KB | None | 0 0
raw download clone embed print report
  1. import sys
  2. import socket
  3. import array
  4. from optparse import OptionParser
  5. from Crypto.Cipher import Blowfish
  6. from Crypto.Hash import MD5
  7.  
  8. TELNET_PORT = 23
  9.  
  10. # The version of Blowfish supplied for the telenetenable.c implementation
  11. # assumes Big-Endian data, but the code does nothing to convert the
  12. # little-endian stuff it's getting on intel to Big-Endian
  13. #
  14. # So, since Crypto.Cipher.Blowfish seems to assume native endianness, we need
  15. # to byteswap our buffer before and after encrypting it
  16. #
  17. # This helper does the byteswapping on the string buffer
  18. def ByteSwap(data):
  19. a = array.array('i')
  20. if(a.itemsize < 4):
  21. a = array.array('L')
  22.  
  23. if(a.itemsize != 4):
  24. print "Need a type that is 4 bytes on your platform so we can fix the data!"
  25. exit(1)
  26.  
  27. a.fromstring(data)
  28. a.byteswap()
  29. return a.tostring()
  30.  
  31. def GeneratePayload(mac, username, password=""):
  32. # Pad the input correctly
  33. assert(len(mac) < 0x10)
  34. just_mac = mac.ljust(0x10, "\x00")
  35.  
  36. assert(len(username) <= 0x10)
  37. just_username = username.ljust(0x10, "\x00")
  38.  
  39. assert(len(password) <= 0x10)
  40. just_password = password.ljust(0x10, "\x00")
  41.  
  42. cleartext = (just_mac + just_username + just_password).ljust(0x70, '\x00')
  43. md5_key = MD5.new(cleartext).digest()
  44.  
  45. payload = ByteSwap((md5_key + cleartext).ljust(0x80, "\x00"))
  46.  
  47. secret_key = "AMBIT_TELNET_ENABLE+" + password
  48.  
  49. return ByteSwap(Blowfish.new(secret_key, 1).encrypt(payload))
  50.  
  51.  
  52. def SendPayload(ip, payload):
  53. for res in socket.getaddrinfo(ip, TELNET_PORT, socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_IP):
  54. af, socktype, proto, canonname, sa = res
  55. try:
  56. s = socket.socket(af, socktype, proto)
  57. except socket.error, msg:
  58. s = None
  59. continue
  60.  
  61. try:
  62. s.connect(sa)
  63. except socket.error, msg:
  64. s.close()
  65. s= None
  66. continue
  67. break
  68.  
  69. if s is None:
  70. print "Could not connect to '%s:%d'" % (ip, TELNET_PORT)
  71. else:
  72. s.send(payload)
  73. s.close()
  74. print "Sent telnet enable payload to '%s:%d'" % (ip, TELNET_PORT)
  75.  
  76. def main():
  77. args = sys.argv[1:]
  78. if len(args) < 3 or len(args) > 4:
  79. print "usage: python telnetenable.py <ip> <mac> <username> [<password>]"
  80.  
  81. ip = args[0]
  82. mac = args[1]
  83. username = args[2]
  84.  
  85. password = ""
  86. if len(args) == 4:
  87. password = args[3]
  88.  
  89. payload = GeneratePayload(mac, username, password)
  90. SendPayload(ip, payload)
  91.  
  92. main()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!