Thursday, September 18, 2014

Posted by Paulos Yibelo
2 comments | 8:51 AM
ZTE is providing a ADSL router and most models are running same services and similar issues reflect with them. so this is a general router problem, i believe.

Here is how it started, I got a new DSL internet modem (ZTE ZXDSL 831 II) and turns out i forgot my password. i coudnt connect to the internet nor can i go to and change my credentials (it was using a Basic form of authentication using HTTP Headers (Could easily be exploited)) but i take it as a challenge and try to get inside to continue using my internet.

Turns out, I was able to first hack it, root it, hack the people around me (* people using broadband in the country (if know ip range)) and then write about it.

Since I wasn't able to find a direct way to access the modem directly using the IP, i start requesting some files.... and turns out most of those files were returning to me without a 401 Unauthorized error (unlike the login page), which is an Insecure Direct Object Reference vul.

note that (by default), the modem comes with admin:admin password credentials. which is awesome to pawn other people not changing the default credentials. unlike those people, i changed it, so i had to find another way.

requesting didn't throw up a 401 error. it just give the upload page, Insecure Direct Object Reference. awesome!

Next, i found the awesome place, (without being authenticated), requesting would turn out the pppoe password and username when you view source. shit!

And then i found the most awesome hole (the restore default location), without being authenticated requesting would later reset the modem to default. meaning, making it admin:admin again.

Awesome! so i get inside. but that wasn't enough nomore, i wanted something more. root?

So i port scanned it using nmap -sV and it retured

23/tcp   open   telnet  ZXDSL 831CII ADSL modem telnetd 5.2.0a_E09_ET

so i just did telnet, since i reset default, the login now is admin:admin obviously. so i get inside the modum and get plenty of commands avilable. but they werent cool so i typed "sh" which turns out BusyBox v1.0 Built in shell(since it was running micro_httpd)

# cat /proc/cpuinfo
system type             : 96338L-2M-8M
processor               : 0
cpu model               : BCM6338 V1.0
BogoMIPS                : 239.20
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : no
unaligned access                : 1289794
VCED exceptions         : not available
VCEI exceptions         : not available

Dead performance!

So I did, "cat /proc/meminfo" (6MB it holds), then "cat /proc/version" and it returned
Linux version (

Even though there was a public local exploit to that kernel simply typing "echo $USER" revealed i am root. (was root the whole time) no need to root shit. Simple as that.

going to, gives public ip address of the modum. (aside from lots of easier ways), it was

so i just did a "sudo nmap --open -sS -sV -T4 10.136.0.*/24 -p 80 -oG - | grep 'open' "

and figure out atleast 48 other modums online. then i go to their and then telnet. root them! it was a fun time of recovery! now i root the router, i can manipulate what goes to my ISP and what isn't which is bad for the ISP. :P

Happy Hacking!

Conclusion: ZTE makes bad routers, most running same services, similar holes. it wasnt built in having security in mind. run if you see one! dont buy it! sue me!

and ya, disable remote logins to telnet, http etc. ;)


  1. Our countries internet security is the biggest lie. some fuckers like the ZTE control and surveillance us, I say no more! lets keep this things out there. in the wild. like you did. probably teach people a lesson! probably!

  2. can u get more internet speed with dis or not