Drive By ONT Botnet with IRC C&C
Demonstration of a botnet created purely by using embedded devices which are controlled remotely through vulnerabilities exploited from a webpage.
The ONT Alcatel-Lucent I-240W-Q are vulnerable to arbitrary code execution in the administrative web interface and also contain a backdoor which enables remote access to the administrative interface. It is possible to combine these two vulnerabilities to take remote control of these devices.
Authentication is not required for successful exploitation. By simply having the user visit a malicious website through any device connected on the network, the confidentiality of the transmitted information by the device is at risk.
El drive-by exploit consists of three stages:
1. Authenticate using the backdoor account.
2. Download the netcat for MIPS and IRC bot.sh
(bot is incomplete - it is just for demonstration purposes)
3. Run the files you downloaded.
References
Advisory: Arbitrary command execution in Alcatel-Lucent I-240W-Q.
Exploit for Metasploit: alcatel_i240w_exec.rb by Luis Colunga.
This post was originally written by Pedro Joaquin and translated by Roberto Salgado. The originally post in Spanish can be found here.
Subscribe to our Newsletter
Get the latest cybersecurity insights and updates delivered to your inbox.