Full Disclosure mailing list archives
Billion Router 7700NR4 Remote Root Command Execution
From: Rio Sherri <rio.sherri () fshnstudent info>
Date: Thu, 6 Oct 2016 21:11:31 +0200
# Title : Billion Router 7700NR4 Remote Root Command Execution # Date : 06/10/2016 # Author : R-73eN # Tested on: Billion Router 7700NR4 # Vendor : http://www.billion.com/ # Vulnerability Description: # This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users. # The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these # credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password. # Using that password we can login to telnet server and use a shell escape to get a reverse root connection. # You must change host with the target and reverse_ip with your attacking ip. # Fix: # The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. # Exploit attached.
Attachment:
billion_router_rce.py
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Billion Router 7700NR4 Remote Root Command Execution Rio Sherri (Oct 11)