Directory Traversal in MikroTik RouterOS WinBox

Repository contains a single standalone Python exploit script and a README. The main file, cve_2018_14847.py, implements an unauthenticated network exploit for CVE-2018-14847 against MikroTik RouterOS Winbox. It uses raw TCP sockets to connect to the target Winbox service, sends a first hardcoded M2 protocol payload containing a traversal path to request /flash/rw/store/user.dat, extracts a session ID from byte offset 38 of the response, injects that ID into a second hardcoded payload, and retrieves the file contents. The script then parses M2-formatted records from the returned data, extracts username and encrypted password fields, and decrypts passwords using the known RouterOS XOR scheme derived from MD5(username + fixed salt 283i4jfkai3389). Successful exploitation yields plaintext credentials, which are printed and saved locally. The repository is small, purpose-built, and clearly intended for credential dumping from vulnerable MikroTik devices rather than detection only.

This repository is a small standalone exploit project for CVE-2018-14847 affecting MikroTik RouterOS. It contains 4 files total: a Python exploit script under Exploit/, a README, a GPL license, and a .gitignore. The only code file and clear entry point is Exploit/Exploit_CVE_2018_14847.py. The exploit is a real unauthenticated network exploit, not a detector. It manually implements MikroTik's proprietary Winbox M2 protocol over TCP and sends two crafted packets: first an open-file request to the Winbox filesystem handler, then a read-file request using the returned session ID. The open request contains a path traversal string that escapes the intended directory boundary and accesses /flash/rw/store/user.dat, the RouterOS credential database. After receiving the file contents, the script parses nv::message-style records and decrypts stored passwords using a static MD5-derived XOR scheme based on the username and hardcoded salt 283i4jfkai3389. Primary capability: remote unauthenticated credential extraction from vulnerable MikroTik routers. The script does not itself write files or spawn a shell, so it is best classified as OPERATIONAL rather than weaponized; however, the recovered credentials can directly enable administrative access. The README also documents post-exploitation possibilities involving the hidden developer login by creating /pckg/option and /flash/nova/etc/devel-login, but those actions are described rather than implemented in the provided code. Fingerprintable targets and observables include the Winbox TCP service on port 8291, the internal Winbox filesystem handler (sys=5, handler=0), and the traversal target path /////./..//////./..//////./../flash/rw/store/user.dat. Overall, the repository's purpose is to provide a documented Python reimplementation of the known MikroTik Winbox path traversal exploit for extracting and decrypting RouterOS credentials.

This repository is a Python proof-of-concept exploit for CVE-2018-14847, a critical vulnerability in MikroTik RouterOS's WinBox service. The main script, T4.py, allows the user to scan a single IP or multiple IPs (from targets.txt) for the vulnerability. It checks if the WinBox port (default 8291) is open, sends specially crafted packets to exploit the vulnerability, and attempts to read the /flash/rw/store/user.dat file, which contains user credentials. The extract_user.py module is responsible for parsing and decrypting the credentials from the extracted file data. The exploit outputs plaintext usernames and passwords if successful. The repository includes a README with usage instructions, a LICENSE, and a sample targets.txt file. The exploit is network-based, targeting TCP port 8291, and is specifically designed for MikroTik RouterOS devices vulnerable to CVE-2018-14847.

This repository provides a Python proof-of-concept exploit for CVE-2018-14847, a directory traversal vulnerability in MikroTik RouterOS (up to version 6.42) via the WinBox service (default TCP port 8291). The main file, CVE-2018-14847.py, implements the exploit logic: it crafts and sends specific WinBox protocol packets to the target, exploiting improper input validation to read arbitrary files from the router's filesystem. The exploit specifically targets the 'flash/rw/store/user.dat' file, which contains user credentials, and includes logic to decrypt the extracted passwords. The script supports both single-target and multi-target modes (via a file of IPs) and uses multithreading for efficiency. The repository also includes a README.md with background and usage information, and a requirements.txt listing Python dependencies. The exploit is a functional PoC, not weaponized, and is intended for research and educational purposes.

This repository is an automated exploit for CVE-2018-14847, targeting MikroTik RouterOS devices vulnerable via the Winbox service on TCP port 8291. The main script, 'MikroRoot.py', uses the Shodan API to search for publicly accessible MikroTik routers, then attempts to exploit each found device by sending crafted binary payloads to port 8291. Upon successful exploitation, it extracts the user database and passes the data to 'extract_user.py', which parses and decrypts the usernames and passwords using a known static key. The exploit outputs the credentials and IP address of each compromised router. The repository consists of two main Python scripts: 'MikroRoot.py' (the orchestrator and exploit logic) and 'extract_user.py' (handles credential extraction and decryption). The README provides usage instructions and references the original vulnerability. No hardcoded endpoints are present, but the exploit targets any IP found via Shodan with an open Winbox port. The exploit is operational, requiring only a Shodan API key and Python 3 to run.

This repository provides a proof-of-concept exploit for CVE-2018-14847, a critical vulnerability in Mikrotik RouterOS (WinBox service) that allows unauthenticated remote attackers to read arbitrary files, including those containing plaintext credentials. The repository contains several Python scripts: - WinboxExploit.py: The main exploit script for targeting the WinBox TCP service (default port 8291) on a Mikrotik device. It crafts and sends specific packets to exploit the vulnerability, retrieves the user.dat file, and uses extract_user.py to decrypt and display usernames and passwords. - MACServerExploit.py: Exploits the same vulnerability over the MAC-based (Layer 2) WinBox protocol, allowing exploitation even if the device does not have an IP address, as long as it is on the same local network segment. - MACServerDiscover.py: A discovery tool that broadcasts on UDP port 5678 to find Mikrotik devices (MAC servers) on the local network. - extract_user.py: Contains logic to decrypt and extract user credentials from the user.dat file obtained from the exploit. - push.sh: A simple git helper script (not related to exploitation). The exploit scripts require Python 3 and target Mikrotik RouterOS versions from 2015-05-28 to 2018-04-20. The README provides detailed usage instructions, affected versions, and mitigation advice. The main attack vectors are network-based (TCP/8291) and local network (UDP/20561, UDP/5678) for MAC-based exploitation and device discovery. No hardcoded IPs or domains are present, but the scripts interact with broadcast addresses and specific service ports.

This repository provides a set of Python scripts to exploit the Mikrotik RouterOS Winbox vulnerability (CVE-2018-14847). The exploit targets vulnerable Mikrotik routers by either IP (using the Winbox service on TCP port 8291) or by MAC address (using the MAC server protocol over UDP). The main scripts are: - WinboxExploit.py: Exploits the Winbox service via TCP/IP to extract and decrypt user credentials from the router. - MACServerDiscover.py: Scans the local network for Mikrotik devices by broadcasting on UDP port 5678 and lists their MAC addresses. - MACServerExploit.py: Exploits the router via the MAC server protocol (UDP/20561) using the discovered MAC address to extract credentials. - extract_user.py: Contains logic to decrypt the extracted user credentials from the router's response. The exploit works by sending specially crafted binary packets to the target service, receiving a response containing encrypted credentials, and then decrypting them using a static key. The README provides detailed usage instructions, affected versions, and mitigation advice. The repository is a functional proof-of-concept exploit, not just a detection script, and is operational with working payloads for credential extraction.

This repository provides a proof-of-concept exploit for CVE-2018-14847, a critical vulnerability in Mikrotik RouterOS (WinBox service) that allows unauthenticated attackers to read arbitrary files, including those containing plaintext user credentials. The repository contains several Python scripts: - WinboxExploit.py: Main exploit script for targeting devices via TCP/IP (WinBox service, default port 8291). It crafts and sends protocol-specific packets to extract and decrypt user credentials. - MACServerExploit.py: Exploits the same vulnerability over the MAC server (Layer 2), allowing attacks even if the device lacks an IP address. It communicates over UDP port 20561 using the device's MAC address. - MACServerDiscover.py: Discovers Mikrotik devices on the local network by broadcasting on UDP port 5678 and listing their MAC addresses. - extract_user.py: Contains logic to decrypt and extract usernames and passwords from the data returned by the exploit scripts. The exploit is effective against Mikrotik RouterOS versions released between 2015-05-28 and 2018-04-20, specifically versions 6.29-6.42 (stable), 6.30.1-6.40.7 (longterm), and 6.29rc1-6.43rc3 (beta). The exploit does not require authentication and provides plaintext credentials if successful. The repository is structured for ease of use, with each script serving a distinct role in the exploitation process.

This repository provides a proof-of-concept exploit for CVE-2018-14847, a critical vulnerability in Mikrotik RouterOS (Winbox service) that allows unauthenticated remote file read, exposing plaintext user credentials. The repository contains four main Python scripts: - WinboxExploit.py: Exploits the Winbox service over TCP/IP (default port 8291) to extract and decrypt user credentials from vulnerable Mikrotik devices. - MACServerExploit.py: Exploits the same vulnerability over Layer 2 (MAC server) using UDP (port 20561), allowing exploitation even if the device lacks an IP address. - MACServerDiscover.py: Discovers Mikrotik devices on the local network via UDP broadcast (port 5678). - extract_user.py: Contains logic to decrypt and extract usernames and passwords from the data returned by the exploits. The exploit works by sending specially crafted binary packets to the target service, leveraging the vulnerability to read sensitive files and extract user credentials. The README provides detailed usage instructions, affected versions, and mitigation advice. No fake or destructive code is present; the repository is a functional proof-of-concept for research and testing purposes.

This repository is a C# implementation of an exploit for the MikroTik Winbox directory traversal vulnerability (CVE-2018-14847). The solution consists of two main projects: a core library (MST.MikroTik.WinboxExploit) containing the exploit logic, and a WPF GUI application (MST.MikroTik.WinboxExploit.WinApp) that provides a user interface for entering the target IP address and port. The exploit works by sending specially crafted TCP packets to the Winbox service (default port 8291) on the target device, exploiting the vulnerability to retrieve and decrypt user credentials. The GUI allows the user to specify the target and displays the extracted usernames and passwords. The code is operational and provides a working exploit for affected MikroTik RouterOS devices. No hardcoded payloads or shell access is provided; the exploit is focused on credential extraction.