This repo provides the automation of exploiting a flaw in Nokia Alcatel Lucent, The exploit makes it possible to have a root shell in the router.
Nokia GPON Home Gateway is exposing a set of flaws, when chained a remote code execution is possible on the the router as a root user. The script has been tested against Nokia G-240W-A with the latest firmware version - at the time of writing, howerver after research it seems that other versions are prone to this security issue as well. The flaws that this script automates their exploitation are: 1- A backdoor in the web interface with universal password and username. 2- The ability to upload and download an obfuscated configuration file. 3- The ability to deobfuscate the config.cfg file. 4- The ability to create a root user in the system with a choosen password by editing the config file.
1- The backdoor was deliberately set to ease the maintainace by the network operator. 2- Obfuscation of the config file is based on a weak encryption which has been broken using reverse engineering. (the key is hardcoded) 3- The config file reserves a field to set the password and username of a new root user. 4- SSH access is open by default.
The script is based on another script that automates the process of deobfuscating and packing-back the config file. Based on the former one, this script authenticates to the router's web interface, retrieves the config file, alteres it and uploades it back. So, all you need later is to start an ssh session with a known password and username.
@thedroidgeek