still work in progress...restructured some of the code

README.md

@@ -30,6 +30,9 @@ https://github.com/Z3po/Netgearizer (We are merging code together.)
 * Svenne Krap
 * Sven Anders
 
+# Contributors
+* Sebastian Cabrera <[email protected]>
+
 See also: http://git.asbjorn.biz/?p=gs105e.git;a=summary
 
 It would be nice if you pay attribution to this project if you use this code.

psl-cli.py

@@ -12,23 +12,16 @@
 
 def discover(args, switch):
     "Search for Switches"
-    dhcpstr = ""
     print "Searching for ProSafe Plus Switches ...\n"
     data = switch.discover()
-    if (data[switch.CMD_DHCP]):
-        dhcpstr = " DHCP=on"
-    print " * %s\t%s\t%s\t%s\t%s" % (data[switch.CMD_MAC],
-                                     data[switch.CMD_IP],
-                                     data[switch.CMD_MODEL],
-                                     data[switch.CMD_NAME],
-                                     dhcpstr)
-
-
+    for entry in data.keys():
+        print entry.get_name() + ': ' + data[entry]
+    print ''
 # pylint: enable=W0613
 
 def exploit(args, switch):
     "exploit in current (2012) fw, can set a a new password"
-    switch.passwd_exploit(args.mac[0], args.new_password[0], switch.transfunc)
+    switch.passwd_exploit(args.mac[0], args.new_password[0], 'transfunc')
 
 def set_switch(args, switch):
     "Set values on switch"
@@ -69,15 +62,15 @@ def set_switch(args, switch):
             return
 
     print "Changing Values..\n"
-    switch.transmit(cmds, args.mac[0], switch.transfunc)
+    switch.transmit(cmds, args.mac[0], 'transfunc')
 
 
 def query(args, switch):
     "query values form the switch"
     print "Query Values..\n"
     if not(args.passwd == None):
         login = {switch.CMD_PASSWORD: args.passwd[0]}
-        switch.transmit(login, args.mac[0], switch.transfunc)
+        switch.transmit(login, args.mac[0], 'transfunc')
     query_cmd = []
     for qarg in args.query:
         if qarg == "all":
@@ -87,7 +80,7 @@ def query(args, switch):
                     query_cmd.append(k)
         else:
             query_cmd.append(switch.get_cmd_by_name(qarg))
-    switch.query(query_cmd, args.mac[0], switch.storefunc)
+    switch.query(query_cmd, args.mac[0], 'storefunc')
     for key in switch.outdata.keys():
         if isinstance(key, psl_typ.PslTyp):
             key.print_result(switch.outdata[key])
@@ -101,13 +94,13 @@ def query_raw(args, switch):
     print "QUERY DEBUG RAW"
     if not(args.passwd == None):
         login = {switch.CMD_PASSWORD: args.passwd[0]}
-        switch.transmit(login, args.mac[0], switch.transfunc)
+        switch.transmit(login, args.mac[0], 'transfunc')
     i = 0x0001
     while (i < ProSafeLinux.CMD_END.get_id()):
         query_cmd = []
         query_cmd.append(psl_typ.PslTypHex(i, "Command %d" % i))
         try:
-            switch.query(query_cmd, args.mac[0], switch.rec_raw)
+            switch.query(query_cmd, args.mac[0], 'rec_raw')
             found = None
             for qcmd in switch.outdata.keys():
                 if (isinstance(qcmd, psl_typ.PslTyp)):

psl-cmd.py

@@ -7,6 +7,8 @@
 
 class NetgearCMD(cmd.Cmd): # {{{
     switch = ProSafeLinux()
+    selectedswitch = {}
+    discovereddata = {}
 
     def __splitLine(self,argumentcount,line): # {{{
         splitline = line.split()
@@ -32,21 +34,41 @@ def do_discover(self, line): # {{{
             iface = 'eth0'
         self.switch.bind(iface)
         data = self.switch.discover()
-        if (data[self.switch.CMD_DHCP]):
-            dhcpstr = " DHCP=on"
-        print " * %s\t%s\t%s\t%s\t%s" % (data[self.switch.CMD_MAC],
-                                         data[self.switch.CMD_IP],
-                                         data[self.switch.CMD_MODEL],
-                                         data[self.switch.CMD_NAME],
-                                         dhcpstr)
+        self.discovereddata = data
+        for entry in data.keys():
+            print entry.get_name() + ': ' + data[entry]
+    # }}}
 
+    def do_selectSwitch(self, line): # {{{
+        '''Select a switch by IP you wanna use all through the session'''
+        switchip = self.__splitLine(1,line)
+        if switchip == None:
+            print 'Please give a IP'
+            return False
+        else:
+            if switchip == self.discovereddata[self.switch.CMD_IP]:
+                self.selectedswitch = { "ip" : self.discovereddata[self.switch.CMD_IP],
+                                        "mac" : self.discovereddata[self.switch.CMD_MAC] }
+            else:
+                print 'No valid ip given...'
+                return False
     # }}}
 
     def do_quit(self, line): # {{{
         '''Quit the Application'''
         return True
-    # }}}
     do_EOF = do_quit
+    # }}}
+
+    def do_exploitPassword(self, line): # {{{
+        '''Exploit the switches password and set a new one'''
+        newpass = self.__splitLine(1,line)
+        if newpass == None:
+            print 'Please give a new password'
+            return False
+        else:
+            self.switch.passwd_exploit(self.selectedswitch['mac'], newpass, 'transfunc')
+    # }}}
 
 # }}}
 

psl_class.py

@@ -80,7 +80,7 @@ class ProSafeLinux:
                                               0x4c00, "bandwith_in")
     CMD_BANDWITH_OUTGOING_LIMIT = psl_typ.PslTypBandwith(
                                               0x5000, "bandwith_out")
-    CMD_FIXME5400 = psl_typ.PslTypHex(0x5400, "fxime5400")
+    CMD_FIXME5400 = psl_typ.PslTypHex(0x5400, "fixme5400")
     CMD_BROADCAST_BANDWITH = psl_typ.PslTypBandwith(0x5800,
                  "broadcast_bandwith")
     CMD_PORT_MIRROR = psl_typ.PslTypPortMirror(0x5c00, "port_mirror")
@@ -145,15 +145,15 @@ def get_query_cmds(self):
         "return all commands which can be used in an query"
         rtn = []
         for cmd in self.cmd_by_name.values():
-            if cmd.is_queryable():
+            if cmd.is_queryable() and cmd.get_name()[0:5] != 'fixme':
                 rtn.append(cmd)
         return rtn
 
     def get_setable_cmds(self):
         "returns all commands which can be set"
         rtn = []
         for cmd in self.cmd_by_name.values():
-            if cmd.is_setable():
+            if cmd.is_setable() and cmd.get_name()[0:5] != 'fixme':
                 rtn.append(cmd)
         return rtn
 
@@ -175,25 +175,23 @@ def recv(self, recvfunc, maxlen=8192, timeout=0.005):
         if self.debug:
             print "recv=" + binascii.hexlify(message)
         if recvfunc is not None:
-            return recvfunc(message, address)
+            return getattr(self, recvfunc)(message, address)
         self.recv(recvfunc, maxlen, timeout)
 
     def parse_packet(self, pack, unknown_warn):
         "unpack package send by the switch"
-	if self.debug:
-	    pprint.pprint(len(pack[2:4])) 
         data = {}
         if struct.unpack(">H", pack[2:4])[0] != 0x0000:
-         data["error"] = struct.unpack(">H", pack[4:6])[0]
-#        data["seq"] = struct.unpack(">H", pack[22:24])[0]
-#        data["ctype"] = struct.unpack(">H", pack[0:2])[0]
-#        data["mymac"] = binascii.hexlify(pack[8:14])
-        data["theirmac"] = binascii.hexlify(pack[14:20])
+            data["error"] = struct.unpack(">H", pack[4:6])[0]
+#            data["seq"] = struct.unpack(">H", pack[22:24])[0]
+#            data["ctype"] = struct.unpack(">H", pack[0:2])[0]
+#            data["mymac"] = binascii.hexlify(pack[8:14])
+#            data["switchmac"] = binascii.hexlify(pack[14:20])
         pos = 32
         cmd_id = 0
         while (pos<len(pack)):
-	    if self.debug:
-	        print "pos:%d len: %d" %(pos,len(pack))
+            if self.debug:
+                print "pos:%d len: %d" %(pos,len(pack))
             cmd_id = struct.unpack(">H", pack[pos:(pos + 2)])[0]
             if cmd_id in self.cmd_by_id:
                 cmd = self.cmd_by_id[cmd_id]
@@ -210,7 +208,7 @@ def parse_packet(self, pack, unknown_warn):
                 value = None
             if cmd in data and value != None:
                 if type(data[cmd]) != type(list()):
-                    data[cmd] = [data[cmd]]
+                    data[cmd] += ' ' +[data[cmd]]
                 data[cmd].append(value)
             elif value != None:
                 data[cmd] = value
@@ -237,13 +235,12 @@ def storediscoverfunc(self, msg, adr):
 
     def transfunc(self, msg, adr):
         "analyse response, after transfer"
-        #print "==FOUND SWITCH=="
         data = self.parse_packet(msg, True)
         if self.debug:
             pprint.pprint(data)
-            if data["error"]:
+            if 'error' in data:
                 try:
-                    print "Error with " + self.cmd_by_id(self.outdata["error"])
+                    print "Error with " + self.cmd_by_id(data["error"])
                 except KeyError:
                     print "Unknown Error"
 
@@ -313,7 +310,7 @@ def ip_from_mac(self, mac):
         # for line in f:
         #   print line
         query_arr = [self.CMD_MAC, self.CMD_IP]
-        self.query(query_arr, mac, self.storediscoverfunc, use_ip_func=False)
+        self.query(query_arr, mac, 'storediscoverfunc', use_ip_func=False)
         if mac in self.mac_cache:
             return self.mac_cache[mac]
         print "cant find mac: " + mac
@@ -379,4 +376,4 @@ def discover(self):
                    self.CMD_MAC,
                    self.CMD_DHCP,
                    self.CMD_IP]
-        return self.query(query_arr, None, self.discoverfunc)
+        return self.query(query_arr, None, 'discoverfunc')

psl_typ.py

@@ -122,20 +122,21 @@ def pack_py(self, value):
             return struct.pack(">b", 0x00)
 
     def unpack_py(self, value):
+        if (self.unpack_cmd(value)):
+            return "on"
+        else:
+            return "off"
+
+    def pack_cmd(self, value):
+        return self.pack_py(value.lowercase == "on")
+
+    def unpack_cmd(self, value):
 	if len(value)==1:
             numval = struct.unpack(">b", value)[0]
 	else:
 	    numval = struct.unpack(">h",value)[0]
         return (numval == 0x01)
 
-    def pack_cmd(self, value):
-        return self.pack_py(value.lowercase == "on")
-
-    def unpack_cmd(self, value):
-        if (self.unpack_py(value)):
-            return "on"
-        else:
-            return "off"
 
     def is_setable(self):
         return True

test-psl.sh

@@ -1,16 +1,16 @@
 #!/bin/sh
 
 NAME=name$(date +%s)
-./psl.py --interface $INTERFACE discover
-./psl.py --interface $INTERFACE query --mac $MAC all
-./psl.py --interface $INTERFACE set --mac $MAC --passwd $PW --name $NAME
-./psl.py --interface $INTERFACE discover |grep $NAME
+./psl-cli.py --interface $INTERFACE discover
+./psl-cli.py --interface $INTERFACE query --mac $MAC all
+./psl-cli.py --interface $INTERFACE set --mac $MAC --passwd $PW --name $NAME
+./psl-cli.py --interface $INTERFACE discover |grep $NAME
 if [ "$?" != "0" ] ; then 
     echo "Name not set!"
 fi
-./psl.py --interface $INTERFACE set --mac $MAC --passwd $PW --dhcp off --ip 192.168.11.117 --netmask 255.255.255.0 --gateway 192.168.11.2
-./psl.py --interface $INTERFACE query --mac $MAC dhcp ip gateway netmask
-./psl.py --interface $INTERFACE set --mac $MAC --passwd $PW --dhcp off --ip 192.168.11.116 --netmask 255.255.255.0 --gateway 192.168.11.1
-./psl.py --interface $INTERFACE query --mac $MAC dhcp ip gateway netmask
-./psl.py --interface $INTERFACE set --mac $MAC --passwd $PW --dhcp on
-./psl.py --interface $INTERFACE query --mac $MAC dhcp ip gateway netmask
+./psl-cli.py --interface $INTERFACE set --mac $MAC --passwd $PW --dhcp off --ip 192.168.11.117 --netmask 255.255.255.0 --gateway 192.168.11.2
+./psl-cli.py --interface $INTERFACE query --mac $MAC dhcp ip gateway netmask
+./psl-cli.py --interface $INTERFACE set --mac $MAC --passwd $PW --dhcp off --ip 192.168.11.116 --netmask 255.255.255.0 --gateway 192.168.11.1
+./psl-cli.py --interface $INTERFACE query --mac $MAC dhcp ip gateway netmask
+./psl-cli.py --interface $INTERFACE set --mac $MAC --passwd $PW --dhcp on
+./psl-cli.py --interface $INTERFACE query --mac $MAC dhcp ip gateway netmask