Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Module for Linksys E1500/2500. #5

Merged
merged 4 commits into from
Apr 11, 2016
Merged

Added Module for Linksys E1500/2500. #5

merged 4 commits into from
Apr 11, 2016

Conversation

n00py
Copy link
Contributor

@n00py n00py commented Apr 11, 2016

Added a new module. This has been tested successfully on my personal E2500.

@lucyoa
Copy link
Contributor

lucyoa commented Apr 11, 2016

Good job, it looks nice. We need some changes to make it even better:

  • Exploit filename should be changed from 1500_2500.py to 1500_2500_rce.py
  • This is post auth module, so username and password are required. Currently these values are hardcoded - admin/admin. It could be improved if you would register new options:
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
port = exploits.Option(80, 'Target Port')
username = exploits.Option('admin', 'Username to login with')
password = exploits.Option('admin', 'Password to login with')

and then we could change this:

r = requests.post(url, data=data, auth=("admin", "admin"))

to:

r = requests.post(url, data=data, auth=(self.username, self.password))

This way, user is able to set his own username/password but by default it is admin/admin.

  • Following code from "run" method
if self.check() == True:

can be changed to:

if self.check():
  • Extra quotes can be deleted:
'references': [
    'https://www.exploit-db.com/exploits/24475/',
    ""
],

Would you mind making changes?

We can also merge this pull request and make necessary changes and then you would test if it works properly on your device :)

@n00py
Copy link
Contributor Author

n00py commented Apr 11, 2016

I’ll try to make these changes myself. Thanks for the tips!

  • Esteban

On Apr 11, 2016, at 12:31 PM, Marcin Bury notifications@github.com wrote:

Good job, it looks nice. We need some changes to make it even better:

Exploit filename should be changed from 1500_2500.py to 1500_2500_rce.py
This is post auth module, so username and password are required. Currently these values are hardcoded - admin/admin. It could be improved if you would register new options:
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
port = exploits.Option(80, 'Target Port')
username = exploits.Option('admin', 'Username to login with')
password = exploits.Option('admin', 'Password to login with')
and then we could change this:

r = requests.post(url, data=data, auth=("admin", "admin"))
to:

r = requests.post(url, data=data, auth=(self.username, self.password))
This way, user is able to set its own username/password but by default it is admin/admin.

Following code from "run" method
if self.check() == True:
can be changed to:

if self.check():
Extra quotes can be deleted:
'references': [
'https://www.exploit-db.com/exploits/24475/',
""
],
Would you mind make changes?

We can also merge this pull request and make necessary changes and then you would test if it works properly on your device :)


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub #5 (comment)

@n00py
Copy link
Contributor Author

n00py commented Apr 11, 2016

I added the authentication piece, the simple change of "if self.check():" broke everything, and I wasn't sure why, so I left that in for now.

@lucyoa
Copy link
Contributor

lucyoa commented Apr 11, 2016

Your "execute" method is always returning empty string. I think it should be "return r.text" ?

@n00py
Copy link
Contributor Author

n00py commented Apr 11, 2016

I shouldn't have put "return r.text" there in the first place, it actually just dumps out the HTML of the page, which is undesirable. This command injection is blind, so I wasn't quite sure what to return.

@lucyoa
Copy link
Contributor

lucyoa commented Apr 11, 2016

Oh I see, we are working on implementing mechanism responsible for retrieving response from blind command injection but your implementation is good.

Could you tell me how the check method works? Does it respond with marker value 9fdbd928b52c1ef61615a6fd2e8b49af from echo command injection?

@n00py
Copy link
Contributor Author

n00py commented Apr 11, 2016

Well, the truth is that the check is somewhat superficial. The only thing it proves is that you sent a properly formatted request, but it doesn't prove that the command injection worked. If you think of a clever way to do this, I'll try to implement it.

@n00py
Copy link
Contributor Author

n00py commented Apr 11, 2016

The actual string shows up in the response, but the HTML only contains the query you sent, not any output from it.

@lucyoa
Copy link
Contributor

lucyoa commented Apr 11, 2016

I think for now, as long as we don't have dedicated mechanism for blind command injection, it is hard to do it properly. I think you could try to use timing with sleep command.

Try to inject sleep command, if it works check method could work as follow:

  1. Make first request with command like "echo test"
  2. Make another request with command "sleep 10"

If time difference between responses is significant, something like 5+ seconds then we can assume that the device is vulnerable.

@n00py
Copy link
Contributor Author

n00py commented Apr 11, 2016

Hello, I tried that but it doesn't work the way we want it to. The shell it creates may be sleeping but the web server responds right back.

What I think might be a good option for the "universal" blind detection technique:
open up a socket/mini web server;
with the blind injection, send a command, and have it pipe the output to curl
The socket reads the http request, and parses the data

Not all of these devices will have netcat, but most I've seen will have wget/curl.

@lucyoa
Copy link
Contributor

lucyoa commented Apr 11, 2016

Ok thanks for info. I think current implementation for this vulnerability is good enough and provides pretty high degree of certainty that the device is vulnerable - request command shown on apply.cgi response.

I think we will improve that in the future with reverse shell techniques.

Let me know if you are ok with that and I will be happy to merge this pull request :)

@n00py
Copy link
Contributor Author

n00py commented Apr 11, 2016

Yeah I think it will do for now, the check at least will likely confirm you have the right kind of router targeted.

Sounds good!

@lucyoa
Copy link
Contributor

lucyoa commented Apr 11, 2016

Great work @n00py

@lucyoa lucyoa merged commit 07aeefd into threat9:master Apr 11, 2016
@fwkz fwkz added the module label May 7, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants