no one is safe ...

Exploit

Metasploit Modules

Unstable Modules



Exploits

  • exploit/linux/http/dlink_command_php_exec_noauth - D-Link Devices Unauthenticated Remote Command Execution
  • exploit/linux/http/dlink_diagnostic_exec_noauth - D-Link DIR-645 / DIR-815 diagnostic.php Command Execution

OS-Command Injection via UPnP Interface in multiple D-Link devices

Vendor: D-Link
Devices: DIR-300 rev B / DIR-600 rev B / DIR-645 / DIR-845 / DIR-865

============ Vulnerable Firmware Releases: ============
DIR-300 rev B - 2.14b01
DIR-600 - 2.16b01
DIR-645 - 1.04b01
DIR-845 - 1.01b02
DIR-865 - 1.05b03

Other devices and firmware versions may be also vulnerable.

============ Vulnerability Overview: ============

  • Unauthenticated OS Command Injection

Linksys X3000 - Multiple Vulnerabilities

Device: X3000
Vendor: Linksys

============ Vulnerable Firmware Releases: ============

Firmware Version: v1.0.03 build 001 Jun 11,2012

============ Vulnerability Overview: ============

OS Command Injection

The vulnerability is caused by missing input validation and can be exploited to inject and execute arbitrary shell commands.

You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

* OS Command Injection - Vector 1 (1):
=> Parameter: ping_ip

Your Telnet Backdoor is waiting for you

It is too bad if your device has a backdoor directly from the vendor. In some devices of the vendor D-Link you are able to find a nice telnet server listening on the internal network interface. The following output shows the results of a Nmap scan of three different D-Link DIR devices (DIR-300revA, DIR-300revB, DIR-600revB):


root@bt:~# nmap -sSV -p 23 192.168.178.133,144,222
Starting Nmap 6.01 ( http://nmap.org ) at 2013-04-30 13:42 CEST
Nmap scan report for 192.168.178.133
Host is up (0.0067s latency).
PORT STATE SERVICE VERSION