Added Module for Linksys E1500/2500.

[n00py]

Added a new module. This has been tested successfully on my personal E2500.

[lucyoa]

Good job, it looks nice. We need some changes to make it even better:

• Exploit filename should be changed from 1500_2500.py to 1500_2500_rce.py
• This is post auth module, so username and password are required. Currently these values are hardcoded - admin/admin. It could be improved if you would register new options:

target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
port = exploits.Option(80, 'Target Port')
username = exploits.Option('admin', 'Username to login with')
password = exploits.Option('admin', 'Password to login with')

and then we could change this:

r = requests.post(url, data=data, auth=("admin", "admin"))

to:

r = requests.post(url, data=data, auth=(self.username, self.password))

This way, user is able to set his own username/password but by default it is admin/admin.

• Following code from "run" method

if self.check() == True:

can be changed to:

if self.check():

• Extra quotes can be deleted:

'references': [
    'https://www.exploit-db.com/exploits/24475/',
    ""
],

Would you mind making changes?

We can also merge this pull request and make necessary changes and then you would test if it works properly on your device :)

[n00py]

I’ll try to make these changes myself. Thanks for the tips!

• Esteban

On Apr 11, 2016, at 12:31 PM, Marcin Bury notifications@github.com wrote:

Good job, it looks nice. We need some changes to make it even better:

Exploit filename should be changed from 1500_2500.py to 1500_2500_rce.py
This is post auth module, so username and password are required. Currently these values are hardcoded - admin/admin. It could be improved if you would register new options:
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
port = exploits.Option(80, 'Target Port')
username = exploits.Option('admin', 'Username to login with')
password = exploits.Option('admin', 'Password to login with')
and then we could change this:

r = requests.post(url, data=data, auth=("admin", "admin"))
to:

r = requests.post(url, data=data, auth=(self.username, self.password))
This way, user is able to set its own username/password but by default it is admin/admin.

Following code from "run" method
if self.check() == True:
can be changed to:

if self.check():
Extra quotes can be deleted:
'references': [
'https://www.exploit-db.com/exploits/24475/',
""
],
Would you mind make changes?

We can also merge this pull request and make necessary changes and then you would test if it works properly on your device :)

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub #5 (comment)

[n00py]

I added the authentication piece, the simple change of "if self.check():" broke everything, and I wasn't sure why, so I left that in for now.

[lucyoa]

Your "execute" method is always returning empty string. I think it should be "return r.text" ?

[n00py]

I shouldn't have put "return r.text" there in the first place, it actually just dumps out the HTML of the page, which is undesirable. This command injection is blind, so I wasn't quite sure what to return.

[lucyoa]

Oh I see, we are working on implementing mechanism responsible for retrieving response from blind command injection but your implementation is good.

Could you tell me how the check method works? Does it respond with marker value 9fdbd928b52c1ef61615a6fd2e8b49af from echo command injection?

[n00py]

Well, the truth is that the check is somewhat superficial. The only thing it proves is that you sent a properly formatted request, but it doesn't prove that the command injection worked. If you think of a clever way to do this, I'll try to implement it.

[n00py]

The actual string shows up in the response, but the HTML only contains the query you sent, not any output from it.

[lucyoa]

I think for now, as long as we don't have dedicated mechanism for blind command injection, it is hard to do it properly. I think you could try to use timing with sleep command.

Try to inject sleep command, if it works check method could work as follow:

1. Make first request with command like "echo test"
2. Make another request with command "sleep 10"

If time difference between responses is significant, something like 5+ seconds then we can assume that the device is vulnerable.

[n00py]

Hello, I tried that but it doesn't work the way we want it to. The shell it creates may be sleeping but the web server responds right back.

What I think might be a good option for the "universal" blind detection technique:
open up a socket/mini web server;
with the blind injection, send a command, and have it pipe the output to curl
The socket reads the http request, and parses the data

Not all of these devices will have netcat, but most I've seen will have wget/curl.

[lucyoa]

Ok thanks for info. I think current implementation for this vulnerability is good enough and provides pretty high degree of certainty that the device is vulnerable - request command shown on apply.cgi response.

I think we will improve that in the future with reverse shell techniques.

Let me know if you are ok with that and I will be happy to merge this pull request :)

[n00py]

Yeah I think it will do for now, the check at least will likely confirm you have the right kind of router targeted.

Sounds good!

[lucyoa]

Great work @n00py