-
Notifications
You must be signed in to change notification settings - Fork 14.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
automatic module_metadata_base.json update
- Loading branch information
1 parent
10d4b92
commit a6e3b3b
Showing
1 changed file
with
43 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -90551,7 +90551,7 @@ | |
| "targets": [ | ||
| "Auto" | ||
| ], | ||
| "mod_time": "2020-10-02 17:38:06 +0000", | ||
| "mod_time": "2023-12-05 10:51:12 +0000", | ||
| "path": "/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb", | ||
| "is_install_path": true, | ||
| "ref_name": "linux/upnp/dlink_dir859_exec_ssdpcgi", | ||
|
|
@@ -90615,7 +90615,7 @@ | |
| "needs_cleanup": null | ||
| }, | ||
| "exploit_linux/upnp/dlink_upnp_msearch_exec": { | ||
| "name": "D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection", | ||
| "name": "D-Link Unauthenticated Remote Command Execution using UPnP via a special crafted M-SEARCH packet.", | ||
| "fullname": "exploit/linux/upnp/dlink_upnp_msearch_exec", | ||
| "aliases": [ | ||
|
|
||
|
|
@@ -90624,35 +90624,65 @@ | |
| "disclosure_date": "2013-02-01", | ||
| "type": "exploit", | ||
| "author": [ | ||
| "Zachary Cutlip", | ||
| "Michael Messner <[email protected]>" | ||
| "h00die-gr3y <[email protected]>", | ||
| "Zach Cutlip", | ||
| "Michael Messner <[email protected]>", | ||
| "Miguel Mendez Z. (s1kr10s)", | ||
| "Pablo Pollanco (secenv)", | ||
| "Naihsin https://github.com/naihsin" | ||
| ], | ||
| "description": "Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast\n requests. This module has been tested on DIR-300 and DIR-645 devices. Zachary Cutlip\n has initially reported the DIR-815 vulnerable. Probably there are other devices also\n affected.", | ||
| "description": "A command injection vulnerability exists in multiple D-Link network products, allowing an attacker\n to inject arbitrary command to the UPnP via a crafted M-SEARCH packet.\n Universal Plug and Play (UPnP), by default is enabled in most D-Link devices, on the port 1900.\n An attacker can perform a remote command execution by injecting the payload into the\n `Search Target` (ST) field of the SSDP M-SEARCH discover packet.\n After successful exploitation, an attacker will have full access with `root` user privileges.\n\n NOTE: Staged meterpreter payloads might core dump on the target, so use stage-less meterpreter payloads\n when using the Linux Dropper target. Some D-Link devices do not have the `wget` command so\n configure `echo` as flavor with the command set CMDSTAGER::FLAVOR echo.\n\n The following D-Link network products and firmware are vulnerable:\n - D-Link Router model GO-RT-AC750 revisions Ax with firmware v1.01 or older;\n - D-Link Router model DIR-300 revisions Ax with firmware v1.06 or older;\n - D-Link Router model DIR-300 revisions Bx with firmware v2.15 or older;\n - D-Link Router model DIR-600 revisions Bx with firmware v2.18 or older;\n - D-Link Router model DIR-645 revisions Ax with firmware v1.05 or older;\n - D-Link Router model DIR-815 revisions Bx with firmware v1.04 or older;\n - D-Link Router model DIR-816L revisions Bx with firmware v2.06 or older;\n - D-Link Router model DIR-817LW revisions Ax with firmware v1.04b01_hotfix or older;\n - D-Link Router model DIR-818LW revisions Bx with firmware v2.05b03_Beta08 or older;\n - D-Link Router model DIR-822 revisions Bx with firmware v2.03b01 or older;\n - D-Link Router model DIR-822 revisions Cx with firmware v3.12b04 or older;\n - D-Link Router model DIR-823 revisions Ax with firmware v1.00b06_Beta or older;\n - D-Link Router model DIR-845L revisions Ax with firmware v1.02b05 or older;\n - D-Link Router model DIR-860L revisions Ax with firmware v1.12b05 or older;\n - D-Link Router model DIR-859 revisions Ax with firmware v1.06b01Beta01 or older;\n - D-Link Router model DIR-860L revisions Ax with firmware v1.10b04 or older;\n - D-Link Router model DIR-860L revisions Bx with firmware v2.03b03 or older;\n - D-Link Router model DIR-865L revisions Ax with firmware v1.07b01 or older;\n - D-Link Router model DIR-868L revisions Ax with firmware v1.12b04 or older;\n - D-Link Router model DIR-868L revisions Bx with firmware v2.05b02 or older;\n - D-Link Router model DIR-869 revisions Ax with firmware v1.03b02Beta02 or older;\n - D-Link Router model DIR-880L revisions Ax with firmware v1.08b04 or older;\n - D-Link Router model DIR-890L/R revisions Ax with firmware v1.11b01_Beta01 or older;\n - D-Link Router model DIR-885L/R revisions Ax with firmware v1.12b05 or older;\n - D-Link Router model DIR-895L/R revisions Ax with firmware v1.12b10 or older;\n - probably more looking at the scale of impacted devices :-(", | ||
| "references": [ | ||
| "CVE-2023-33625", | ||
| "CVE-2020-15893", | ||
| "CVE-2019-20215", | ||
| "URL-https://attackerkb.com/topics/uqicA23ecz/cve-2023-33625", | ||
| "URL-https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection", | ||
| "URL-http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html" | ||
| "URL-https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-rce-in-ssdpcgi-http-st-cve-2019-20215-en-2e799acb8a73", | ||
| "URL-https://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html", | ||
| "URL-https://research.loginsoft.com/vulnerability/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l/", | ||
| "URL-https://github.com/naihsin/IoT/blob/main/D-Link/DIR-600/cmd%20injection/README.md" | ||
| ], | ||
| "platform": "", | ||
| "arch": "", | ||
| "platform": "Linux,Unix", | ||
| "arch": "cmd, mipsle, mipsbe, armle", | ||
| "rport": 1900, | ||
| "autofilter_ports": [ | ||
|
|
||
| 80, | ||
| 8080, | ||
| 443, | ||
| 8000, | ||
| 8888, | ||
| 8880, | ||
| 8008, | ||
| 3000, | ||
| 8443 | ||
| ], | ||
| "autofilter_services": [ | ||
|
|
||
| "http", | ||
| "https" | ||
| ], | ||
| "targets": [ | ||
| "MIPS Little Endian", | ||
| "MIPS Big Endian" | ||
| "Unix Command", | ||
| "Linux Dropper" | ||
| ], | ||
| "mod_time": "2020-10-02 17:38:06 +0000", | ||
| "mod_time": "2023-11-14 20:40:38 +0000", | ||
| "path": "/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb", | ||
| "is_install_path": true, | ||
| "ref_name": "linux/upnp/dlink_upnp_msearch_exec", | ||
| "check": true, | ||
| "post_auth": false, | ||
| "default_credential": false, | ||
| "notes": { | ||
| "Stability": [ | ||
| "crash-safe" | ||
| ], | ||
| "Reliability": [ | ||
| "repeatable-session" | ||
| ], | ||
| "SideEffects": [ | ||
| "ioc-in-logs", | ||
| "artifacts-on-disk" | ||
| ] | ||
| }, | ||
| "session_types": false, | ||
| "needs_cleanup": null | ||
|
|
||