Adding version checking to wemo module

Addresses Github Issue 11452 by parsing out the version information returned in /setup.xml. New code then performs a version check, and then alerts the user to whether or not it is likely the remote host is vulnerable given that version check.
2019-02-22 16:20:53 -06:00 · 2019-02-22 16:20:53 -06:00 · 6bd1489f62
parent aa0ba91d92
commit 6bd1489f62
1 changed files with 27 additions and 4 deletions
--- a/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb
+++ b/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb
@ -22,7 +22,8 @@ class MetasploitModule < Msf::Exploit::Remote
      },
      'Author'             => [
        'phikshun', # Discovery, UFuzz, and modules
-        'wvu'       # Crock-Pot testing and module
+        'wvu',      # Crock-Pot testing and module
+        'nstarke'   # Version-checking research and implementation
      ],
      'References'         => [
        ['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
@ -82,16 +83,38 @@ class MetasploitModule < Msf::Exploit::Remote
    )

    if res && res.code == 200 && res.body.include?('urn:Belkin:device:')
-      vprint_good('Wemo-enabled device detected')
-      return CheckCode::Appears
+      print_good('Wemo-enabled device detected')
+    else
+      print_error('This does not appear to be a wemo-enabled device')
+      return
+    end
+
+    begin
+      version_text = res.get_xml_document.to_s
+      version_text =~ /WeMo_WW_?([\d]*[.][\d]*[.][\d]*)/ && $1 && version = (Gem::Version.new($1))
+      print_status("Found version: #{version.to_s}")
+    rescue
+      print_error('Error parsing version information from xml')
+      return
+    end
+
+    if version && version < Gem::Version.new('2.00.8643')
+      print_good('Firmware version appears to be vulnerable')
+      CheckCode::Appears
+    else
+      print_warning('Firmware version appears not to be vulnerable')
+      CheckCode::Safe
    end

-    CheckCode::Safe
  end

  def exploit
    checkcode = check

+    unless checkcode || datastore['ForceExploit']
+      fail_with(Failure::Unknown, 'Set ForceExploit to override')
+    end
+
    unless checkcode == CheckCode::Appears || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
    end