j8MJHSTF

· 7 years ago · Aug 08, 2018, 04:12 PM
1import sys
2import socket
3import array
4from optparse import OptionParser
5from Crypto.Cipher import Blowfish
6from Crypto.Hash import MD5
7
8TELNET_PORT = 23
9
10# The version of Blowfish supplied for the telenetenable.c implementation
11# assumes Big-Endian data, but the code does nothing to convert the
12# little-endian stuff it's getting on intel to Big-Endian
13#
14# So, since Crypto.Cipher.Blowfish seems to assume native endianness, we need
15# to byteswap our buffer before and after encrypting it
16#
17# This helper does the byteswapping on the string buffer
18def ByteSwap(data):
19  a = array.array('i')
20  if(a.itemsize < 4):
21    a = array.array('L')
22  
23  if(a.itemsize != 4):
24    print "Need a type that is 4 bytes on your platform so we can fix the data!"
25    exit(1)
26
27  a.fromstring(data)
28  a.byteswap()
29  return a.tostring()
30
31def GeneratePayload(mac, username, password=""):
32  # Pad the input correctly
33  assert(len(mac) < 0x10)
34  just_mac = mac.ljust(0x10, "\x00")
35
36  assert(len(username) <= 0x10)
37  just_username = username.ljust(0x10, "\x00")
38  
39  assert(len(password) <= 0x10)
40  just_password = password.ljust(0x10, "\x00")
41
42  cleartext = (just_mac + just_username + just_password).ljust(0x70, '\x00')
43  md5_key = MD5.new(cleartext).digest()
44
45  payload = ByteSwap((md5_key + cleartext).ljust(0x80, "\x00"))
46  
47  secret_key = "AMBIT_TELNET_ENABLE+" + password
48
49  return ByteSwap(Blowfish.new(secret_key, 1).encrypt(payload))
50
51
52def SendPayload(ip, payload):
53  for res in socket.getaddrinfo(ip, TELNET_PORT, socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_IP):
54    af, socktype, proto, canonname, sa = res
55    try:
56      s = socket.socket(af, socktype, proto)
57    except socket.error, msg:
58      s = None
59      continue
60
61    try:
62      s.connect(sa)
63    except socket.error, msg:
64      s.close()
65      s= None
66      continue
67    break
68
69  if s is None:
70    print "Could not connect to '%s:%d'" % (ip, TELNET_PORT)
71  else:
72    s.send(payload)
73    s.close()
74    print "Sent telnet enable payload to '%s:%d'" % (ip, TELNET_PORT)
75  
76def main():
77  args = sys.argv[1:]
78  if len(args) < 3 or len(args) > 4:
79    print "usage: python telnetenable.py <ip> <mac> <username> [<password>]"
80
81  ip = args[0]
82  mac = args[1]
83  username = args[2]
84
85  password = ""
86  if len(args) == 4:
87    password = args[3]
88
89  payload = GeneratePayload(mac, username, password)
90  SendPayload(ip, payload)
91
92main()