2020-01-20 21:26:59 -05:00
|
|
|
## Vulnerable Application
|
2016-10-14 12:46:19 -05:00
|
|
|
|
|
|
|
|
This module uses a challenge solver exploit which impacts two possible states
|
|
|
|
|
of the device: pre-password set and post-password set. The pre-password set
|
|
|
|
|
vulnerability uses a default password and a weak anti-CSRF (CVE-2015-4624)
|
|
|
|
|
check to obtain shell by logging in and pre-computing the solution to
|
|
|
|
|
the anti-CSRF check.
|
|
|
|
|
|
|
|
|
|
The post-password set vulnerability uses the fact that there is a 1 in 27
|
|
|
|
|
chance of correctly guessing the challenge solution. This attack resets the
|
|
|
|
|
password to a password chosen by the attacker (we suggest the default
|
|
|
|
|
'pineapplesareyummy' to decrease collateral damage on victims) and then
|
|
|
|
|
performs the same anti-CSRF attack as the pre-password vulnerability.
|
|
|
|
|
|
|
|
|
|
This exploit uses a utility function in
|
|
|
|
|
/components/system/configuration/functions.php to execute commands once
|
|
|
|
|
authorization has been bypassed.
|
|
|
|
|
|
2020-01-16 10:41:12 -05:00
|
|
|
## Verification Steps
|
2016-10-14 12:46:19 -05:00
|
|
|
|
|
|
|
|
This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
|
|
|
|
|
default options are generally effective due to having a set state after being
|
|
|
|
|
flashed. You will need to be connected to the WiFi pineapple network (e.g. via
|
|
|
|
|
WiFi or ethernet).
|
|
|
|
|
|
|
|
|
|
Assuming the above 2.3 firmware is installed, this exploit should always work.
|
|
|
|
|
If it does not, try it again. It should always work as long as the pineapple is
|
|
|
|
|
in its default configuration.
|
