/cve-2024-10914-port

dlink vulnerability thing in python and rust

Primary LanguageRust

CVE-2024-10914 ported to rust and python

because why not

what is this

cve-2024-10914 is a recently discovered 9.8 critical score vulnerability that affects some dlink routers. because those routers reached their eol support, dlink refuses to patch this vulnerability because "stop being poor and just buy a new router".

how does this work

the vulnerable devices expose an http endpoint, usually under /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=<user_input>. due to improper sanitization, instead of strictly limiting or validating the input (only allowing alphanumeric characters), the application allows any character to be injected, which includes special characters used for command line operations, hence allowing for arbitrary code execution.

by inserting shell metacharacters (such as ; | & or $(command)) in the name field, anyone can run shell commands with ease. for example:

...name=admin'; echo 'get pwned bozo'; #

all these script do is send a request with the name parameter changed to whatever code you want to run.

there's a pretty good video by fireship that explains it into more detail: https://www.youtube.com/watch?v=52v6gKPA4TM

how 2 use:

first you need to have a vulnerable device, some models include:

  • DNS-320 (Version 1.00)
  • DNS-320LW (Version 1.01.0914.2012)
  • DNS-325 (Versions 1.01, 1.02)
  • DNS-340L (Version 1.08)

i strongly advise against using this script against someone else without their consent, please only do this stuff if you own the router or you have the owner's consent

rust

  • if you already know the device ip address:

cargo run -- -u http://<device ip address>

  • if you want to perform a quick network scan:

cargo run

python

  • first install dependencies

pip install -r requirements.txt

  • if you already know the device ip address:

python main.py -u http://<device ip address>

  • if you want to perform a quick network scan:

python main.py

then follow instructions

credits

i did not come up with the original code, verylazytech did. i only ported it to rust and python because why the fuck not. of course all credit goes to him and any other person involved in the discovery of this exploit.

https://github.com/verylazytech/CVE-2024-10914/