Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This Metasploit module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
3441fbd8c1fcc5a225cc156757ccb483
Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This Metasploit module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
9120bc404ccb10c6abc177860b52fe17
This Metasploit module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component, when handling specially crafted POST HTTP requests addresses to the /common/info.cgi handler. This Metasploit module has been successfully tested on D-Link DSP-W215 in an emulated environment.
6536bc2c5fe1aa932ecb74dca292aac3
This Metasploit module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is due to an stack based buffer overflow while handling malicious HTTP POST requests addressed to the HNAP handler. This Metasploit module has been successfully tested on D-Link DIR-505 in an emulated environment.
27690b7b0e20b8d8e44f2d6a42ccbd96
This Metasploit module exploits an remote buffer overflow vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the authentication.cgi with long password values. The vulnerability can be exploitable without authentication. This Metasploit module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares such as the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.
e86843e76fd74450b6a58bebe5f22c7f
This Metasploit module exploits an anonymous remote code execution vulnerability on several D-Link routers. The vulnerability exists in the handling of HTTP queries to the hedwig.cgi with long value cookies. This Metasploit module has been tested successfully on D-Link DIR300v2.14, DIR600 and the DIR645A1_FW103B11 firmware.
f42a41ed103516610ddf009f7f6aba79
WRT120N version 1.0.0.7 stack overflow exploit which clears the admin password.
6fc4c70e2261e1d8caee7ac0a799ed98
This Metasploit module exploits an anonymous remote code execution on D-Link DIR-605L routers. The vulnerability exists while handling user supplied captcha information, and is due to the insecure usage of sprintf on the getAuthCode() function. This Metasploit module has been tested successfully on DLink DIR-605L Firmware 1.13 under a QEMU environment.
0547694f381c1caecddb6f60063679db
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
e073021df56b2e6499f8c894564805eb
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases. Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.
7c22180fac128f898c68a8c6b18796f1
Remote attackers can gain sensitive information about a DD-WRT router and internal clients, including IP addresses, MAC addresses and host names. This information can be used for further network attacks as well as very accurate geolocation. This is exploitable even if remote administration is disabled. Version 24-preSP2 is affected.
f578fa34e93c6d161f93ffda8f027233
The D-Link WBR-1310 suffers from a direct access authentication bypass vulnerability that can also be exploited by cross site request forgery even if remote administration is disabled.
41ecf5385d6c8dde407a5a19f330a84f
This file provides a detailed description of a privilege escalation vulnerability that has been confirmed to affect the DIR-615 revD router running firmware version 4.11.
6055ee70d3d25a676d82d2f4c845194a
D-Link routers such as the DIR-615 revD, DIR-320 and DIR-300 all suffer from multiple remote authentication bypass vulnerabilities.
1ff0a8ee52d8919c993fbb2e173fd2f4
Miranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities.
7a918e216859c92bc47dec41ced50092
Short whitepaper discussing API hooking/interception via DLL redirection.
4e78af66fd03f49d6878ac5a06b14467
Httprox is a perl-based HTTP proxy that modifies or adds an HTTP header for all outgoing HTTP traffic. It can handle multiple connections and is useful for Web-application penetration testing, such as modification of the Cookie, User-Agent and Referrer fields, or adding HTTP headers that would normally not be present.
e10a97075e3d43e3d85baada44328db1
This paper is intended as an introduction to reverse engineering for someone who has no experience on the subject.
d0323f4d500864e2a4fd71e1607fc5a1
While there are some easy ways of changing the antivirus signature of a program (packers, encryptors, etc), they may not always be viable options for those wishing to bypass antivirus applications. This paper will show how to locate the signature used to identify Netcat, and modify it so that the executable no longer matches Symantec's AV signature, without interfering with any of the program's functionality. This is an exercise in identifying and modifying sections of code (aka, signatures) that are used by antivirus programs to identify malicious code; the tools and techniques used here can be applied to any program that is marked as malicious by AV applications.
595c987f017f5351e9fbd2d609a5acc0
Modern whitepaper that is along the lines of 'Smashing The Stack For Fun And Profit' that also takes into account how the GNU C compiler has evolved since 1998.
4a7b8193e8080f8b199753921c2eaa78
This multi-part tutorial will present several ways in which you can add functionality to closed source Windows executables through DLLs, PE header modification, and good old assembly code. Adding code to existing code caves, modifying PE headers to create code caves and/or importing DLL functions, adding backdoors to programs, and adding plugin support to closed-source programs are all covered.
12b2cdafaf8a4dc8244d3cd2859947c7
Wesley is a fake DHCP server that implements various features like invisible redirection of connections and MAC filtering for singling out a specific host or not replying to DHCP requests from security scanners.
175affe3badc4ac0935af6d5f9f1cd5d
Security Cloak is designed to protect against TCP/IP stack fingerprinting and computer identification/information leakage via timestamp and window options by modifying relevant registry keys. The settings used are based on the results of SYN packet analysis by p0f. While the OS reported by other OS detection scanners were not identical to those of p0f, testing against Nmap, xprobe2, queso and cheops showed that they were unable to identify the correct operating system/version after Security Cloak settings had been applied.
71270c9f80595377033308ee642d084d
Wesley is a fake DHCP server that implements various features like invisible redirection of connections and MAC filtering for singling out a specific host or not replying to DHCP requests from security scanners.
c6f5d8c96c60ada2efdcd4f00a4ceca2
This is a quick script to redirect a wireless client to a fake a login page for a WLAN. This is much stealthier than implementing a rouge AP in conjunction with layer 1/2 attacks against the WAP. It uses tethereal to listen for IP addresses being assigned to a new wireless client via DHCP, then runs dnsa-ng to redirect DNS queries from the new client to the specified IP.
50dfde5d23deac368489c5cfb63291a2