module

D-Link info.cgi POST Request Buffer Overflow

Disclosed	Created
2014-05-22	2018-05-30

Disclosed

2014-05-22

Created

2018-05-30

Description

This module exploits an anonymous remote code execution vulnerability on different D-Link
devices. The vulnerability is a stack based buffer overflow in the my_cgi.cgi component,
when handling specially crafted POST HTTP requests addresses to the /common/info.cgi
handler. This module has been successfully tested on D-Link DSP-W215 in an emulated
environment.

Authors

Craig Heffner
Michael Messner devnull@s3cur1ty.de

Platform

Linux

Architectures

mipsbe

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/linux/http/dlink_dspw215_info_cgi_bof
    msf exploit(dlink_dspw215_info_cgi_bof) > show targets
        ...targets...
    msf exploit(dlink_dspw215_info_cgi_bof) > set TARGET < target-id >
    msf exploit(dlink_dspw215_info_cgi_bof) > show options
        ...show and set options...
    msf exploit(dlink_dspw215_info_cgi_bof) > exploit

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today