Skip to content

Full exploit for D-Link DCS-5020L, POC crash for others that are vulnerable as well.

Notifications You must be signed in to change notification settings

secure-77/CVE-2019-10999

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 

Repository files navigation

D-Link Exploit

The exploit exists in the devices server, alphapd, when processing wireless.htm prior to displaying it to the user. If WEPEncryption is provided in the URL this leads to a buffer overflow if the value is longer than 0x28 bytes. A URL of the form:

 http://IP_ADDRESS/wireless.htm?WEPEncryption=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB

will exercise the exploit and begin executing at 0x42424242.

Note: The exploit requires credentials to be successful. Default credentials are admin with a blank password.

exploit.py

Full exploit that takes advantage of a buffer overflow in the alphapd server to execute an arbitrary command on the device. It has been tested on the DCS-5020L with all available versions of the firmware as well as the most recent firmware of the DCS-930L. More devices and versions can be added by reading the comments in the overflow file. I might add more devices and versions as time permits, but it's not a high priority. The initial commit of this project has some simpler Python2 examples.

Vulnerable Devices

Below is the list of devices effected by this exploit. All versions of the firmware are currently vulnerable.

DCS-930L

DCS-931L

DCS-932L

DCS-933L

DCS-934L

DCS-5009L

DCS-5010L

DCS-5020L

DCS-5025L

DCS-5030L

Live Vulnerable Devices

https://www.shodan.io/search?query=Server%3A+alphapd

Example Usage

This project is written in Python 3 and will not execute under Python 2.

python3 exploit.py -i 192.168.0.100 -P 80 -u admin -p ""

In-depth Explaination

Video - https://www.youtube.com/watch?v=ijcbkY3dtso Skip to 13:15 to hear about the actual exploit.

4 Part Blog

About

Full exploit for D-Link DCS-5020L, POC crash for others that are vulnerable as well.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%