This is a proof of concept exploit for the unattended command injection vulnerability in various ASUS router models. The exploit allows remote command/code execution as root (uid 0). The vulnerable models include (at least): RT-N16, RT-N10U, RT-N56U, RT-N15U and RT-N53. Additionally numerous models are vulnerable if the administrator password has not been changed. These models include at least: DSL-N55U and RT-AC66U. It is very likely this vulnerability also exist in other ASUS routers not listed here.
When successful the exploit will add a new user to the system, start the telnetd service and drop the firewall. As a side effect this exploit also allows access to the web user interface from the WAN interface (usually internet).
In order to gain a root shell via telnet, do the following:
$ telnet victim
Trying victim...
Connected to victim.
Escape character is '^]'.
(none) login: pwn<enter>

ASUSWRT RT-N16_3.0.0.4 Wed Oct 2 23:47:35 UTC 2013
This particular version of the exploit isn't persistent. It can be removed by rebooting the device.
Please note that this PoC utilizes old vulnerability CVE-2013-3093 discovered by Jacob Holcomb / Independent Security Evaluators. Also, some of the vulnerabilities were discovered independently by unknown party as CVE-2013-5947. The new part is the unattended execution achieved via the preauth XSS on the error page (CVE-2014-1225). The vulnerabilities has been fixed in firmware or later.
Copyright © 2014 Harry Sintonen