Some DLink Routers are vulnerable to OS Command injection in the web interface. On DIR-645 versions prior 1.03 authentication isn't needed to exploit it. On version 1.03 authentication is needed in order to trigger the vulnerability, which has been fixed definitely on version 1.04. Other DLink products, like DIR-300 rev B and DIR-600, are also affected by this vulnerability. Not every device includes wget which we need for deploying our payload. On such devices you could use the cmd generic payload and try to start telnetd or execute other commands. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. This Metasploit module has been tested successfully on DIR-645 prior to 1.03, where authentication isn't needed in order to exploit the vulnerability.
f2ceeefd8dbcad542f7e425fc2a4629e678ed768c94c49906f4e9341a1042096
Some Linksys Routers are vulnerable to an authenticated OS command injection in the Web Interface. Default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. The user must be prudent when using this module since it modifies the router configuration while exploitation, even when it tries to restore previous values.
842e633a501f723e29c147350b0f672da78b474050f74be28f55d1501d673b3c
D-Link devices DIR-600 / DIR-300 revB / DIR-815 / DIR-645 / DIR-412 / DIR-456 / DIR-110 all suffer from a remote command injection vulnerability.
17eb6a8037069b38384464fb6033053265e37d9e03348a06ffc828a643e35041
Some Netgear Routers are vulnerable to authenticated OS Command injection. The vulnerability exists in the web interface, specifically in the setup.cgi component, when handling the TimeToLive parameter. Default credentials are always a good starting point, admin/admin or admin/password could be a first try. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes.
623ce5343f36444ea84dd10286be202aa0da4fc1e9e606d5ba8d7544d69fb889
Some Linksys Routers are vulnerable to an authenticated OS command injection. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes.
b0afd45182320ce4cbe58cfbaef05397334c74a08e5a150118bf0469c6dc9d01
Some Dream Boxes with OpenPLI version 3 beta images are vulnerable to OS command injection in the Webif 6.0.4 web interface. This is a blind injection, which means that you will not see any output of your command. A ping command can be used for testing the vulnerability. This Metasploit module has been tested in a box with the next features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware 1.06 and Web Interface 6.0.4-Expert (PLi edition).
08146370ff7e87193e0ac650501ba578d139728fdb5da79083867c3d68983b6c
Netgear DGN2200B suffers from remote command injection and cross site scripting vulnerabilities.
634264ce1a769f340ba92a3a358816a469ffa2e4015e8b04265695279dba696d
The Edimax EW-7206APg and EW-7209APg suffer from cross site scripting, HTTP header injection, and open redirection vulnerabilities.
caf5494f483d9fdfdddc161b8ffa759d8caa9aa9cf89ce0b6c0d0e843b783136
The TP-Link TL-WA701N and TL-WA701ND suffer from stored cross site scripting and directory traversal vulnerabilities.
94e97a9978ccdf366f647fe8f6856515428f710579e8124bc4f97d8d7503a1d9
Raidsonic versions IB-NAS5220 and IB-NAS4220-B suffer from authentication bypass and persistent cross site scripting vulnerabilities.
fe8f5e0eadcb9f646b6f562ce732f7187fcdd832bcb2a1a6a738e78ba597f151
OpenPLI Dream Multimedia Box suffers from cross site scripting and remote OS command injection vulnerabilities.
f5d4feb4ba89383043e9c71ed9f5ca9c4929fef7a2cf63360283140f9e11618c
Linksys E1500 and E2500 suffer from cross site request forgery, cross site scripting, remote command injection, and directory traversal vulnerabilities.
8f4ca31ed3ff1f131edf930a3e632c1433e475e164124e9a7516f54e7b1af180
Linksys WRT160N suffers from cross site scripting, cross site request forgery, and remote command injection vulnerabilities.
39b1aacd1083769cd903e8b6c46c0bcef01ce5e97ca668800168ca3378fa2176
D-Link DIR-615 rev H suffers from cross site request forgery, information disclosure, and remote command injection vulnerabilities.
41b970b21adea1850727bf853c7a64b9e73638cbc268a00e301d4a225d17b956
Linksys WAG200G suffers from cross site scripting and remote command injection vulnerabilities.
2b6dddc567f756cb697c510a2e5bf2220a9fb207d776b1a3492dc2707810ea56
The Netgear N150 Wireless ADSL2+ Modem Router DGN1000 suffers from cross site scripting, OS command injection, and insecure cryptographic storage vulnerabilities. Firmware versions 1.1.00.24 and 1.1.00.45 are affected.
dcec7c5cda6f10f1bbcd85f15e43d09cfdc1cbee7d31d660686584eb925c0e5c
Linksys models E1500 and E2500 suffer from cross site request forgery, cross site scripting, OS command injection, and directory traversal vulnerabilities.
2190f55bd127ac7423c9c743f4167459612f148b992042f0bd75b4b858c6d942
D-Link DIR-600 and DIR-300 suffer insecure cryptographic storage, remote command execution, information disclosure, and insecure password changing vulnerabilities.
0d610f0e7ac87b76802448b2ddefebf0a4f7d53a027f9b0de1b8a4e6d745c155
Netgear SPH200D suffers from cross site scripting, path disclosure, and directory traversal vulnerabilities.
feb81bf5c98699eaaac241a0def910ecd684f41727637e5be8c37af1a136cd6a
Linksys WRT54GL version 1.1 suffers from remote OS command injection and cross site scripting vulnerabilities.
c747a4881fe6f7e8e70cf9b1b6b621bdf6fad806004ab724ba2805579af13185
Webby Webserver version 1.01 suffers from a buffer overflow vulnerability.
c1efddb1b13c33f48bca2724a4a2cd55dd316b60fd3c13ef1e71beab2ce48b4e