Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-10999 PoC — 多款D-Link产品缓冲区错误漏洞

Source
https://github.com/tacnetsol/CVE-2019-10999
Associated Vulnerability
Title:多款D-Link产品缓冲区错误漏洞 (CVE-2019-10999)
Description:D-Link DCS-5009L等都是中国台湾友讯(D-Link)公司的一款DCS系列IP摄像机。 多款D-Link产品中的alphapd存在基于栈的缓冲区溢出漏洞。该漏洞源于网络系统或产品在内存上执行操作时,未正确验证数据边界,导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆溢出等。以下产品及版本受到影响:D-Link DCS-5009L 1.08.11及之前版本;DCS-5010L 1.14.09及之前版本;DCS-5020L 1.15.12及之前版本;DCS-50
Description
Full exploit for D-Link DCS-5020L, POC crash for others that are vulnerable as well.
Readme
# D-Link Exploit
The exploit exists in the devices server, alphapd, when processing `wireless.htm` 
prior to displaying it to the user. If `WEPEncryption` is provided in the 
URL this leads to a buffer overflow if the value is longer than 0x28 bytes. A 
URL of the form:
 
     http://IP_ADDRESS/wireless.htm?WEPEncryption=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB

will exercise the exploit and begin executing at `0x42424242`. 

**Note: The exploit requires credentials to be successful.**
**Default credentials are admin with a blank password.**

## exploit.py
Full exploit that takes advantage of a buffer overflow in the alphapd server to 
execute an arbitrary command on the device. It has been tested on the DCS-5020L
with all available versions of the firmware as well as the most recent firmware
of the DCS-930L. More devices and versions can be added by reading the comments
in the [overflow](DlinkExploit/overflows/overflow.py) file. I might add more devices 
and versions as time permits, but it's not a high priority. The initial commit of
this project has some simpler Python2 examples. 

## Vulnerable Devices
Below is the list of devices effected by this exploit. All versions of the firmware
are currently vulnerable. 

**DCS-930L**

**DCS-931L**

**DCS-932L**

**DCS-933L**

**DCS-934L**

**DCS-5009L**

**DCS-5010L**

**DCS-5020L**

**DCS-5025L**

**DCS-5030L**


## Live Vulnerable Devices
https://www.shodan.io/search?query=Server%3A+alphapd

## Example Usage
This project is written in Python 3 and will not execute under Python 2.

`python3 exploit.py -i 192.168.0.100 -P 80 -u admin -p ""`

## In-depth Explaination
Video - https://www.youtube.com/watch?v=ijcbkY3dtso
Skip to 13:15 to hear about the actual exploit.


4 Part Blog 

  * [Part 1](https://fuzzywalls.github.io/exploits/dcs-5020l-vuln-asses-pt1.html)
  * [Part 2](https://fuzzywalls.github.io/exploits/dcs-5020l-vuln-asses-pt2.html)
  * [Part 3](https://fuzzywalls.github.io/exploits/dcs-5020l-vuln-asses-pt3.html)
  * [Part 4](https://fuzzywalls.github.io/exploits/dcs-5020l-vuln-asses-pt4.html)
File Snapshot

 [4.0K]  /data/pocs/c296d77bf550d8bc6dba7933c6109d08386f322e
├── [4.0K]  DlinkExploit
│   ├── [   0]  __init__.py
│   ├── [4.0K]  overflows
│   │   ├── [2.3K]  DCS-5020L.py
│   │   ├── [1000]  DCS-930LB1.py
│   │   ├── [1000]  DCS-930L.py
│   │   ├── [1.5K]  DCS-932LB1.py
│   │   ├── [1000]  DCS-932L.py
│   │   ├── [   0]  __init__.py
│   │   └── [4.5K]  overflow.py
│   ├── [2.6K]  util.py
│   └── [1.7K]  version.py
├── [3.0K]  exploit.py
└── [2.0K]  README.md

2 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.