Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This Metasploit module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
fc44a93eba283e1584275d9596c2494164e66d54813e74e0886f302958943e2eDifferent D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This Metasploit module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
e20ef0dd89ff88caf92c753721ba8454b95e56f6cc1668c930745008c71c7246This Metasploit module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component, when handling specially crafted POST HTTP requests addresses to the /common/info.cgi handler. This Metasploit module has been successfully tested on D-Link DSP-W215 in an emulated environment.
43736a283718e26edea62c6eac8d7fee90f2153854e5ba828b05e5d93aada113This Metasploit module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is due to an stack based buffer overflow while handling malicious HTTP POST requests addressed to the HNAP handler. This Metasploit module has been successfully tested on D-Link DIR-505 in an emulated environment.
d5c1234114f0d3f1eea91c96527721cb48a9b2b6cddece427779fb9fdccd3e20This Metasploit module exploits an remote buffer overflow vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the authentication.cgi with long password values. The vulnerability can be exploitable without authentication. This Metasploit module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares such as the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.
450e0c17e9ed8a5889f1222fd8943a072ac89cff24fdb5117836d675f119995dThis Metasploit module exploits an anonymous remote code execution vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the hedwig.cgi with long value cookies. This Metasploit module has been tested successfully on D-Link DIR300v2.14, DIR600 and the DIR645A1_FW103B11 firmware.
34fd8be52c6556ed2de772a2ee3aff9ac71be9f460f14eb17c88ae1909383dd4WRT120N version 1.0.0.7 stack overflow exploit which clears the admin password.
e1aa2a251a9986b0b7cc00e00e274da9c8e78a9cfc2a13541756864a4b3830d7This Metasploit module exploits an anonymous remote code execution on D-Link DIR-605L routers. The vulnerability exists while handling user supplied captcha information, and is due to the insecure usage of sprintf on the getAuthCode() function. This Metasploit module has been tested successfully on DLink DIR-605L Firmware 1.13 under a QEMU environment.
0a2625495d220d8e34aeaeab3b030e38d5c3d8c061e96a0d097c1527e36f1458Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
eb0ab404a41e58a9c8d3dbaf9f79b310c14ffa514716f7e578dd2ae6d3777aadReaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
ded5b9b2c8f52c1ee9a2ccae0a4957eee5c2a8acbd45a13ae2480551c9a9a525Remote attackers can gain sensitive information about a DD-WRT router and internal clients, including IP addresses, MAC addresses and host names. This information can be used for further network attacks as well as very accurate geolocation. This is exploitable even if remote administration is disabled. Version 24-preSP2 is affected.
7102053c920ae264843dc40d0a21522a645ecbba49d6f4df097245cfdadc92f8The D-Link WBR-1310 suffers from a direct access authentication bypass vulnerability that can also be exploited by cross site request forgery even if remote administration is disabled.
c8c2e3b11bddb617e900bf397c0b626d6f2c53ce614c6501340229ba39656a76This file provides a detailed description of a privilege escalation vulnerability that has been confirmed to affect the DIR-615 revD router running firmware version 4.11.
a160c910db3449d12d52aa5b71001bba6e2a99708a556a84bf479eddf5694cb0D-Link routers such as the DIR-615 revD, DIR-320 and DIR-300 all suffer from multiple remote authentication bypass vulnerabilities.
f1a9231c26177ad1738cc646517d63f8730f5f15148496f3064ab23103362ee0Miranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities.
d14d0b979b115a202bce72bdcfd7fc749f57546b53bf094e2e1119c7c9a8c158Short whitepaper discussing API hooking/interception via DLL redirection.
4f3b2999eaf8674d18053e9c19ddc2690f09ca07ac557ea9d739cbee813c6366Httprox is a perl-based HTTP proxy that modifies or adds an HTTP header for all outgoing HTTP traffic. It can handle multiple connections and is useful for Web-application penetration testing, such as modification of the Cookie, User-Agent and Referrer fields, or adding HTTP headers that would normally not be present.
a32745a7befd14b31c9a2fb9978860e1cf22eedc93cd7213171a414c7df53eacThis paper is intended as an introduction to reverse engineering for someone who has no experience on the subject.
b8caadda8d6c36dbf640925de6b437af651606ace7a3d4487b29fdb6cce2cd18While there are some easy ways of changing the antivirus signature of a program (packers, encryptors, etc), they may not always be viable options for those wishing to bypass antivirus applications. This paper will show how to locate the signature used to identify Netcat, and modify it so that the executable no longer matches Symantec's AV signature, without interfering with any of the program's functionality. This is an exercise in identifying and modifying sections of code (aka, signatures) that are used by antivirus programs to identify malicious code; the tools and techniques used here can be applied to any program that is marked as malicious by AV applications.
acfa9cdef5c30cd4848dccab719ac832c6ce65cf0aae70ef4dc41ad12ea37fd7Modern whitepaper that is along the lines of 'Smashing The Stack For Fun And Profit' that also takes into account how the GNU C compiler has evolved since 1998.
3972ef78d5d378100d75cd0552c59ce31b25e4c886950965b6f1767fe95d3880This multi-part tutorial will present several ways in which you can add functionality to closed source Windows executables through DLLs, PE header modification, and good old assembly code. Adding code to existing code caves, modifying PE headers to create code caves and/or importing DLL functions, adding backdoors to programs, and adding plugin support to closed-source programs are all covered.
addfbf9225a75334eb73fe19aa2b943d801118f73553f9dc431330aa37f87327Wesley is a fake DHCP server that implements various features like invisible redirection of connections and MAC filtering for singling out a specific host or not replying to DHCP requests from security scanners.
c4e69c01df48f32cae5b7ddcc7ffe8d28a867fdcc1d5ea4244ff74b7a234eb78Security Cloak is designed to protect against TCP/IP stack fingerprinting and computer identification/information leakage via timestamp and window options by modifying relevant registry keys. The settings used are based on the results of SYN packet analysis by p0f. While the OS reported by other OS detection scanners were not identical to those of p0f, testing against Nmap, xprobe2, queso and cheops showed that they were unable to identify the correct operating system/version after Security Cloak settings had been applied.
66e4dab7b1c77acc36e113c187db43fce3b3e2841a33f0be05bdce710d59e95bWesley is a fake DHCP server that implements various features like invisible redirection of connections and MAC filtering for singling out a specific host or not replying to DHCP requests from security scanners.
4141b12cdfa4abc4b138353a5f8f09ad7ae2721a53d307cfb78905670c2d665cThis is a quick script to redirect a wireless client to a fake a login page for a WLAN. This is much stealthier than implementing a rouge AP in conjunction with layer 1/2 attacks against the WAP. It uses tethereal to listen for IP addresses being assigned to a new wireless client via DHCP, then runs dnsa-ng to redirect DNS queries from the new client to the specified IP.
17b5108909bf86dbdef1d4982b0cebc5b7051fe0b86c0c2f0fafbd25ace69bbd
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed