Git Product home page Git Product logo

zong-wifi's Introduction

Zong FiberHome 4G Device

Vulnerabilities and Exploits

Although the device use a wierd authentication method, it is nothing more than a gimmick used by the UI code to give an illusion of authentication. All the endpoints are accessible directly without authentication and the best part of it all is you can use the admin endpoint to get the username and password for the router.

The output of the admin endpoint is something like

<?xml version="1.0" encoding="US-ASCII"?>
<RGW>
	<management>
		<router_username>admin</router_username>
		<router_password>admin</router_password>
		<web_wlan_enable/>
		<httpd_port/>
		<syslogd_enable/>
		<web_wan_enable/>
		<syslogd_rem_ip/>
		<turbo_mode/>
        <customer/>
	</management>
</RGW>

The vulerability explained above is well know and quite old but wait, There's more! to my knowledge(not sure though) the Fiber Home version of the Zong devices are unlocked by default but if yours is not, you can use a simple trick to get super user access and unlock the device direcltly from the Admin Panel all you have to do is login to your router and change the default username from admin to root and voila you can see a new tab named Advance in Settings which provides options to unlock the device, As shown below

Advance Settings

Analysis

It gets more interesting once you do a portscan of the device. The portscan shows the following ports to be open

  • 22 - SSH
  • 53 - DNS
  • 80 - HTTP (Admin Panel)
  • 3020 - Unknown
  • 3021 - Unknown
  • 5555 - ADB

Port 22

You can ssh into the device as root using password oelinux123

Port 53 and 80

These ports are standard DNS and HTTP ports

Endpoints

Base URL: /xml_action.cgi?method=get&module=duster&file=[name] known file names are:

  • admin
  • app_fun_support_list
  • battery_charge
  • custom_fw
  • detailed_log
  • dns
  • download_local_upgrade
  • lan
  • lock_cell_clear
  • message
  • message_drafts
  • message_outbox
  • message_set
  • message_state
  • message_state
  • net_advace_set
  • ntp_server
  • pin_puk
  • reset
  • restore_defaults
  • shutdown
  • status1
  • time_setting
  • traffic_excess_set
  • uapxb_wlan_basic_settings
  • uapxb_wlan_security_settings
  • upgrade_info
  • ussd_business
  • wan
  • wan_choose_net
  • wan_ip
  • wlan_auto_setting

Port 3020

Port 3020 is interesting once you connect to it it immediatly send the banner ms_version:1 and then appears to send/receive nothing but if you keep connected it starts sending packets with JSON payloads "periodically" which appears to be 4-byte length prefixed, see the sample payloads below

{
	"operate": "report",
	"service_name": "modem",
	"signal_strength": 2
}

{
	"operate": "report",
	"service_name": "modem",
	"signal_strength_v1": [
		{
			"cdma_dbm": 0,
			"evdo_dbm": -125,
			"gsm_signal_strength": 0,
			"lte_rsrp": -112,
			"operator_type": 2,
			"tds_signal_strength": 0,
			"wcdma_signal_strength": 0
		}
	]
}

Port 3021

This port lets you connect to it and keeps the connection open as long as you don't send anything but as soon as you send something it immediately disconnects, possibly expects somekind of pattern IMO(these kinds of ports were found on other routers too)

Port 5555

This port runs an unauthenticated adb daemon so you can easily connect to it using adb and get shell access as follow

adb connect 192.168.8.1:5555
adb shell

you will get access as root user so you can pretty much do anything you want.

Dumping Image

You can list the flash partitions using:

cat /proc/mtd

Output:

dev:    size   erasesize  name
mtd0: 00140000 00020000 "sbl"
mtd1: 00140000 00020000 "mibib"
mtd2: 00b00000 00020000 "efs2"
mtd3: 00360000 00020000 "sdi"
mtd4: 00360000 00020000 "tz"
mtd5: 000c0000 00020000 "mba"
mtd6: 00360000 00020000 "rpm"
mtd7: 031e0000 00020000 "qdsp"
mtd8: 000e0000 00020000 "appsbl"
mtd9: 00800000 00020000 "apps"
mtd10: 00040000 00020000 "scrub"
mtd11: 04a80000 00020000 "cache"
mtd12: 00160000 00020000 "misc"
mtd13: 00560000 00020000 "cdrom"
mtd14: 002e0000 00020000 "logo"
mtd15: 00800000 00020000 "recovery"
mtd16: 00100000 00020000 "fota"
mtd17: 01080000 00020000 "recoveryfs"
mtd18: 01080000 00020000 "system"
mtd19: 12e80000 00020000 "userdata"

you can just cat the device and pipe the data to a file e.g. ssh [email protected] "cat /dev/mtd18" > system.img to get the system image

Filesystem

Its just a linux filesystem, fun stuff can be found in /usr/mifi/. Some of the configurations are also stored in sqlite 3 databases and can be found in /usr/data/

Credits

Thanks to IMExperts for providing the ssh password as well as mentioning that port 5555 is running adb

zong-wifi's People

Contributors

abdullah2993 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

zong-wifi's Issues

Works smooth till ssh but

is there any way we can access AT interface through ssh? adb port is not open in my device. The only 3 ports are as 1. DNS 2.HTTP 3.SSH

Zong 4G MF 25 Zte Unlocking issue in world

Aslam-o-Alikum
bhai jan aik masla bana howa hai zong mf25 device ka jo kai new 2020 or 2022 unlock nahi ho rahi infact koi b nahi ker pa raha is ka software version B03 B02 B01 batter date 12-20 or yai device fastboot mod main nai jati jo kai power+wps button hold kerny par jani chayia kindly is ka software koi program ker sakta hai to us say rapta kerwa dain
Name Waqas Mehmood
cell no 03122971373 Whatsapp
Location Karachi
Thanks

advance settings

first of all good work and keep it up.
although i have changed admin password to root and now have 'advance settings' tab and both 'cell lock switch' and 'lock sim card' are disabled but still other network sims are not working. secondly how can we add additional bands in addition to default band lock 'Band3'

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.