Categories: exploit, vuln
Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a "secret" value. Using the "secret" User-Agent bypasses authentication and allows admin access to the router.
The following router models are likely to be vulnerable: DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240
In addition, several Planex routers also appear to use the same firmware: BRL-04UR, BRL-04CW
http.max-cache-size, http.max-pipeline, http.pipeline, http.useragentSee the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
vulns.showallSee the documentation for the vulns library.
unittest.runSee the documentation for the unittest library.
nmap -sV --script http-dlink-backdoor <target>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-dlink-backdoor: | VULNERABLE: | Firmware backdoor in some models of D-Link routers allow for admin password bypass | State: VULNERABLE | Risk factor: High | Description: | D-Link routers have been found with a firmware backdoor allowing for admin password bypass using a "secret" User-Agent string. | | References: |_ http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
Author: Patrik Karlsson <email@example.com>
License: Same as Nmap--See http://nmap.org/book/man-legal.html