Posts

Showing posts from March, 2022

CVE-2019-17507 D-Link DIR-816 Router Authentication Bypass Vulnerability

Image
 Introduction Management pages of D-Link DIR-816 A1 1.06 devices can be accessed without authentication via a client that ignores the 'top.location.href = "/dir_login.asp"' line in a .asp file. Steps to exploit this vulnerability using Burp Suite are given below. Steps 1. Open the login page of router in Burp Suite browser. 2. Disable HTTP request interception by going to Proxy > Options tab of Burp Suite and uncheck Intercept requests based on following rules  checkbox. 3. Enable HTTP server response interception by checking Intercept responses based on the following rules  checkbox. 4. Turn on intercept in Proxy > Intercept tab and go to URL http:// targetip /d_status.asp. From all the intercepted responses delete the line ' top.location.href = "/dir_login.asp"; ' All the router management pages can be accessed by removing the line 'top.location.href = "/dir_login.asp;"' from the responses. Automation To automatically delete...

Dump memory to file from U-Boot console using Memory Display (md) log

Image
 Introduction Dump firmware or other contents from memory of a device with U-Boot bootloader to a file by converting output of memory display (md) command to binary image.  Steps 1. Connect to U-Boot console using picocom and save all outputs in a log file using commad given below. Here the output is saved to log file named 'mdb.log'. sudo picocom /dev/ttyUSB0 --baud 115200 --logfile mdb.log 2. Display the contents of the memory using command: md.b <address> <length> Figure below shows the command to display memory contents from address 0x400000000 and of length 0x20000 (128KB) . The data in this example corresponds to a jffs2 file system. 3. Once the execution completes, edit the log file and remove everything other than md.b output. 4. Clone the github project uboot-mdb-dump.git git clone https://github.com/gmbnomis/uboot-mdb-dump.git 5. Generate the binary image file 'output.bin' from log file 'mdb.log'. python3 uboot-mdb-dump/uboot_mdb_to_image.p...