Python script not printing string

Question

I have forgotten the password to my dlink DCS-930L IP camera. After searching online, I came across an authentication bypass vulnerability as detailed here.

I was able to obtain the encoded configuration while (which contains the admin password).

However, I am having issues getting the python script (which decodes the configuration file) to work. This is what I have so far :

#!/usr/bin/python


# 'data' holds the content of the obfuscated configuration file

data1 = open('/root/Desktop/data', 'r')
data = data1.readlines()


def deobfuscate(data):
    r = []
    for c in data:
        c = ord(c)
        c = (c + ord('y')) & 0xff
        c = (c ^ ord('Z')) & 0xff
        c = (c - ord('e')) & 0xff
        r.append(c)
    tmp = None
    i = len(r) - 1
    while i >= 0:
        if i == len(r) - 1:
            x = r[i]
            tmp = ((x & 7) << 5) & 0xff

        if i == 0:
            assert tmp is not None
            x = r[0]
            x = (x >> 3) & 0xff
            x = (x + tmp) & 0xff
            r[0] = x
        else:
            c1 = r[i-1]
            c2 = r[i]
            c1 = c1 & 0x7
            c2 = (c2 >> 3) & 0xff
            c1 = (c1 << 5) & 0xff
            c2 = (c2 + c1) & 0xff
            r[i] = c2
        i = i - 1

    r = "".join([chr(x) for x in r])

    s = ""
    assert (len(r) % 2) == 0
    for i in range(len(r)/2):
        s += r[i+(len(r)/2)] + r[i]

    return s
    print s


deobfuscate(data)

Every time I run the script, there is no output. At this point, I am not sure if the script is running properly, and I just have a printing issue, or if the script had larger issues.

Any assistance is greatly appreciated.

Answer 1

Another problem: it looks like you are reading the file as a list of strings (data1.readlines()), but the deobfuscate function expects a single string.

You code should be

INPUT = '/root/Desktop/data'

def deobfuscate(data):
    r = []
    for c in data:
        c = ord(c)
        c = (c + ord('y')) & 0xff
        c = (c ^ ord('Z')) & 0xff
        c = (c - ord('e')) & 0xff
        r.append(c)
    tmp = None
    i = len(r) - 1
    while i >= 0:
        if i == len(r) - 1:
            x = r[i]
            tmp = ((x & 7) << 5) & 0xff

        if i == 0:
            assert tmp is not None
            x = r[0]
            x = (x >> 3) & 0xff
            x = (x + tmp) & 0xff
            r[0] = x
        else:
            c1 = r[i-1]
            c2 = r[i]
            c1 = c1 & 0x7
            c2 = (c2 >> 3) & 0xff
            c1 = (c1 << 5) & 0xff
            c2 = (c2 + c1) & 0xff
            r[i] = c2
        i = i - 1

    r = "".join([chr(x) for x in r])

    s = ""
    assert (len(r) % 2) == 0
    for i in range(len(r)/2):
        s += r[i+(len(r)/2)] + r[i]

    return s

def main():
    with open(INPUT) as inf:
        data = inf.read()

    print(deobfuscate(data))

if __name__=="__main__":
    main()

... actually, some of the code in deobfuscate should be cleaned up, but without data to test against, I don't want to poke at it too much.

Answer 2

The problem is that the return statement is always the last thing executed in a method. Anything after the return statement won't happen.

Switch:

return s
print s

to:

print s
return s

Or you could print the return value of the method:

print deobfuscate(data)