Add exploits ZTE F660 Config Disclosure & ZTE F6XX Default root password

[riswandans]

• Add exploits ZTE F660 Config Disclosure
• Add exploits ZTE F6XX Default root password

Example:

use exploits/zte/f660_config_disclosure
set target 36.79.119.10
exploit

use exploits/zte/f6xx_default_root
set target 36.74.22.122
exploit

[lucyoa]

@DevilScream Is there any reference to these vulnerabilities or you just have found it?

Could you give some more information about these default credentials:

username = "root"
password = "Zte521"

They are hardcoded or can be changed through device interface?

[riswandans]

@lucyoa
this is more about vulnerabilities https://community.rapid7.com/community/infosec/blog/2014/03/04/disclosure-r7-2013-18-zte-f460-and-zte-f660-webshellcmdgch-backdoor, but on new version it's not working , and i test with connect to telnet and work.

other reference
http://www.ironbugs.com/2016/02/hack-and-patch-your-zte-f660-routers.html

username and password is default from modem/router.
it's can be change, but i check at https://www.shodan.io/search?query=f660 , 98% using default password.

[lucyoa]

Ok @DevilScream we need just some changes in exploits:

zte/f6xx_default_root.py and zte/f660_config_disclosure.py

1) Authors

'authors': [
             'devilscream',  # vulnerability discovery
             'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
         ],

There should be the name of people that: discovered vulnerability and wrote routersploit module. I did not wrote this, you did, so it should be your name.

2) References

'references': [
             '',
         ],

References contain useful links that are related to the vulnerability or exploit. You should add these you posted in comment.

3) Mute
Method "check" should have mute decorator:

@mute
def check(self):

4) Default creds
Since the credentials can be changed. Meaby it would be better to define them as options:

target = exploits.Option('', 'Target address e.g. 192.168.1.1')  # target address
username = exploits.Option("root", "Username to authenticate with")
password = exploits.Option("Zte521", "Password to authenticate with")

zte/f660_config_disclosure.py

1) Check

Your check method implementation only checks if it is possible to authenticate with given credentials. You should also check if it is possible to download config file.

Could you adapt your Pull Request? It would be also great to see these two exploits in action, could you record this with https://asciinema.org/? Thanks!

[riswandans]

@lucyoa exploits has been changed.

record
https://asciinema.org/a/66matv5s9iten4yooy1aus1iz

[lucyoa]

@DevilScream that looks nice, we need just two little things:

• add mute decorator to check methods
• check method of zte/f660_config_disclosure.py does not work properly. Currently it looks for config in response that shows prompt. You need to issue command that retrieves config first and then look for "<DM name=" in response.

[riswandans]

@lucyoa

• if i use mute, rsf show error on ubuntu 14.04

File "./rsf.py", line 11, in <module>
    routersploit()
  File "./rsf.py", line 7, in routersploit
    rsf = RoutersploitInterpreter()
  File "/home/devilscream/workspace/routersploit/routersploit/interpreter.py", line 167, in __init__
    self.load_modules()
  File "/home/devilscream/workspace/routersploit/routersploit/interpreter.py", line 196, in load_modules
    module = importlib.import_module(module_path)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
@mute
NameError: name 'mute' is not defined

• ok, i will fix f660_config_disclosure.py

[lucyoa]

@DevilScream add mute to import list

[riswandans]

@lucyoa
https://asciinema.org/a/905vuwq55cu7iww78y86lbxjq

[lucyoa]

@DevilScream Ok I'm merging this. I will polish them a little. Thanks