This is a proof of concept exploit for the unattended command injection vulnerability in various ASUS router models.
The exploit allows remote command/code execution as root (uid 0). The vulnerable models include (at least):
RT-N16, RT-N10U, RT-N56U, RT-N15U and RT-N53.
Additionally numerous models are vulnerable if the administrator password has not been changed. These models include at least: DSL-N55U and RT-AC66U.
It is very likely this vulnerability also exist in other ASUS routers not listed here.
When successful the exploit will add a new user to the system, start the telnetd service and drop the firewall.
As a side effect this exploit also allows access to the web user interface from the WAN interface (usually internet).
In order to gain a root shell via telnet, do the following:
$ telnet victim
Trying victim...
Connected to victim.
Escape character is '^]'.
(none) login: pwn<enter>
ASUSWRT RT-N16_3.0.0.4 Wed Oct 2 23:47:35 UTC 2013
admin@(none):/#
This particular version of the exploit isn't persistent. It can be removed by rebooting the device.
Please note that this PoC utilizes old vulnerability CVE-2013-3093 discovered by Jacob Holcomb /
Independent Security Evaluators. Also, some of the vulnerabilities were discovered independently by unknown party as CVE-2013-5947.
The new part is the unattended execution achieved via the preauth XSS on the error page (CVE-2014-1225).
The vulnerabilities has been fixed in firmware 3.0.0.4.374.4422 or later.