ZyNOS (ROM-0) Exploit

Recently, I came across the interesting article that nicely explained how to bypass authentication for some SoHO routers running ZyNOS proprietary operating system. Those routers allow to download the Romfile backup file rom-0 without any authentication. The rom-0 file can be decompressed by lzs compress and decompress tools  credentials displayed  using strings command.

I decided to write Bash script that automates the whole process. After entering the subnet(s) it uses nmap to scan hosts with opened destination TCP port 80 and filter the host that seem to be running ZyNOS. The result is stored to the file IP_ZyXEL_list. Then it downloads and decompress rom-0 file for each particular IP address from the list, reads the web password with strings utility and displays the pair - IP address and password on the standard output. The output is also saved to the file passwords.log.

Please, use the script for auditing only your own devices that reside in your local network.  Be aware that breaking into systems is illegal and I don't take any responsibility and I'm not liable for any damage caused through use of the script.

The script can be downloaded here.

2 thoughts on “ZyNOS (ROM-0) Exploit

Leave a comment

Your email address will not be published. Required fields are marked *