Logging into a ZTE H168N with the help of expect

Jalal Sela already took the time to break into a sibling of this router on his blog. Having shell access to my router turned out to be more handy than I had anticipated.

#!/usr/bin/expect -f

spawn telnet 192.168.2.254 23

expect Username: { send "root\r" }
expect Password: { send "public\r" }

expect >         { send "enable\r" }
expect Password: { send "zte\r" }

expect "#"       { send "shell\r" }
expect Login:    { send "root\r" }
expect Password: { send "root\r" }

interact

Speaking of this device, in it you will find /var/tmp/db_backup_cfg.xml and /data/cfg/db_user_cfg.xml which have the same contents, except the latter is compressed in some funny way. Here’s how do decompress it:

for offset in $(binwalk -c db_user_cfg.xml | tail -n +4 | cut -d' ' -f1); do
    printf '\x1f\x8b\x08\x00\x00\x00\x00\x00%s' "$(dd skip=$offset ibs=1 if=db_user_cfg.xml)" | gzip -dc >> out.xml;
done