Closed andrewjgoss1 closed 6 years ago
AlexHilgertBRA
commented
6 years ago @tuthieu ZTE ZHN F608? Can't find anything about it.
On 'ZTE ZXV10 RCE' exploit, I think it may be a false positive that was fixed. Could you give a 'git pull' inside RouterSploit dir and check it again?
See ya.
andrewjgoss1
commented
6 years ago @AlexHilgertBRA Thank you for replying. The device is now not vulnerable with any exploits. How can I find an exploit? I have two same device.One I know login and the other I don't know
AlexHilgertBRA
commented
6 years ago @tuthieu As I said, I didn't find any useful information about it, so I think the only way is whether you do it by yourself or "by hand". You know, if the issue is just to login on it, you can bruteforce it, and if it is yours, you can reset it.
The little I know about this device, is that default credentials is admin as user and serial number as password, so you get something this:
admin:ZTEGC???????
First two '??' seems to be a year, like 13, 14, 15, 16, etc. Left five '??' seems to be a upper hex charset.
And finally, if it is yours, you can just see it on the back of your Router.
Cheers.
andrewjgoss1
commented
6 years ago @AlexHilgertBRA ,I just want to find a way to exploit the router. Thank you very much. Your info is very helpful.But I don't know brutefore. How can I do bruteforce?My router block 1 minute after entering 5 wrong passwords.
When I enter wrong pass,the headers show: Request URL:https://192.168.1.1/ Request Method:POST Status Code:200 OK Remote Address:192.168.1.1:443 Referrer Policy:no-referrer-when-downgrade Response Headers view source Accept-Ranges:bytes Cache-Control:no-cache,no-store Connection:close Content-Length:6539 Content-Type:text/html; charset=utf-8 Server:Mini web server 1.0 ZTE corp 2005. Set-Cookie:_TESTCOOKIESUPPORT=1; PATH=/; HttpOnly; Secure X-Frame-Options:DENY Request Headers view source Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Accept-Encoding:gzip, deflate, br Accept-Language:en-US,en;q=0.9 Cache-Control:max-age=0 Connection:keep-alive Content-Length:65 Content-Type:application/x-www-form-urlencoded Cookie:_TESTCOOKIESUPPORT=1 Host:192.168.1.1 Origin:https://192.168.1.1 Referer:https://192.168.1.1/ Upgrade-Insecure-Requests:1 User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Form Data view source view URL encoded frashnum: action:login Frm_Logintoken:0 Username:admin Password:ZTEGC11A0123
When I enter right password: Request URL:https://192.168.1.1/ Request Method:POST Status Code:302 Moved Temporarily Remote Address:192.168.1.1:443 Referrer Policy:no-referrer-when-downgrade Response Headers view source Accept-Ranges:bytes Cache-Control:no-cache,no-store Connection:close Content-Length:0 Content-Type:text/html; charset=utf-8 Location:/easySetup.ghtml Server:Mini web server 1.0 ZTE corp 2005. Set-Cookie:SID=5bf923742fc1892865913cbf90f6ba7b; PATH=/; HttpOnly; Secure Request Headers view source Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Accept-Encoding:gzip, deflate, br Accept-Language:en-US,en;q=0.9 Cache-Control:max-age=0 Connection:keep-alive Content-Length:76 Content-Type:application/x-www-form-urlencoded Cookie:_TESTCOOKIESUPPORT=1 Host:192.168.1.1 Origin:https://192.168.1.1 Referer:https://192.168.1.1/ Upgrade-Insecure-Requests:1 User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
AlexHilgertBRA
commented
6 years ago @tuthieu You would waste some years with this limitation I think. You'll get better with ftp or something else, which doesn't mean you won't waste a very long time as well. If ftp is enabled, you can use RouterSploit to bruteforce it, with creds/ftp_bruteforce. You just need to set the path of passwords to the extracted file (ZTEGCYYHHHHH.zip).
andrewjgoss1
commented
6 years ago @AlexHilgertBRA Thank you for your suggest,but my ISP config the router to only accepts web access.
AlexHilgertBRA
commented
6 years ago @tuthieu No problem. It's not viable to bruteforce that keyspace with this limitation. See ya.
Hello, Can you please add exploits for ZTE ZHN F608? Routersploit show the router is only vulnerable with exploits/routers/zte/zxv10_rce I successfully logged in router.But I cannot do anything in cmd. https://imgur.com/a/sjUN8 Thank you so much!
PS:My ISP config the router to use only HTTPS(although browser keeps saying invalid certificate).When in browser,I can not access router via 192.168.1.1:443 but https://192.168.1.1 http://192.168.1.1 or 192.168.1.1:80 then the page redirect to https. When I use routersploit,it only works when I set target https://192.168.1.1 and set port 443 which is opposite to browser.