D-Link DSP-W215 smart plug is a wireless control power switch outlet. It is not from Amazon and Best Buy to buy, but the firmware from D-Link website to download the true ass to.
The DSP-W215 exists a stack overflow vulnerability through the vulnerability can control the entire socket device, can control the socket apparatus on other electrical equipment to the switch.
Analysis of the socket of the firmware:
Lzma compression, linux file system, uimage of the kernel compressed image.
Unpack check the contents of the file, and found no web-based management interface, can only use it to provide the Android or IOS application management, the application uses the HNAP family management agreement.
HNAP is based on soap Protocol, which req/res are as follows:
This smart socket with the lighttpd, lightweight server to achieve the HNAP Protocol of the transmission, from the lighttpd configuration, HNAP requests are sent to the /www/my_cgi. the cgi for processing.
... alias. url += ( "/HNAP1/" => "/www/my_cgi. cgi", "/HNAP1" => "/www/my_cgi. cgi", ...
HNAP though is the need for the authentication Protocol, but some of the behavior is not required, such as obtaining the device information set or the like.
HNAP request for data is made in the my_cgi. cgi do_hnap function processing. do_hnap first processing the POST request specified in the Content-Length header.
Convert the length of the str to int.
Then, it reads the length bytes of data into an allocated fixed size of the stack. （500,000 bytes