Weekly Metasploit Update with more Embedded Device Attacks
The last Metasploit Update includes some new exploits for breaking embedded devices.
D-Link Embedded Device Shells
This week, esteemed Metasploit contributor @m-1-k-3 has been at it again with his valiant personal crusade against insecure SOHO (small office/home office) embedded devices with known vulnerabilities. We have a new trio of modules that target D-Link gear, based on the research released by Craig Heffner and Zachary Cutlip, which exploit two bugs present in the DSP-W215 Smart Plug, and one UPnP command injection bug found in the DIR-815.
The research on these embedded devices is really quite solid -- if you're at all interested in this kind of research, you can Craig's excellent notes on his first and second SmartPlug bugs, published in May of 2014, and Zachary's notes on the DIR-815 bug. Following along is now a ton easier with m-1-k-3's Metasploitization of these exploits, too, since you can now see the traffic on the wire if you happen to have one of these routers in your home or lab.
This is the part where I rail about the Internet-of-Things. I'll keep beating this drum because it's not "merely" your home networks that are at risk. If the gadgets are cool and useful enough, you can be sure they will find their way into office spaces across all kinds of industries, making the job of the penetration tester less of an exercise in finding vulnerable devices to target and more of prioritizing which ones should get exploited first.
Nobody updates firmware, ever. Nobody. As long as they're passing packets, and there's no IT department control over these things, these guys will remain vulnerable forever -- at least, until something radical changes in the embedded device space where updates are automatic and routine -- and don't fall prey to Evilgrade-like attacks, which have been around for a few years now.
- D-Link info.cgi POST Request Buffer Overflow by Craig Heffner and Michael Messner exploits OSVDB-108249
- D-Link HNAP Request Remote Buffer Overflow by Craig Heffner and Michael Messner exploits CVE-2014-3936
- D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection by Michael Messner and Zachary Cutlip