Wget Bad File Descriptor' title='Wget Bad File Descriptor' />Hacking the D Link DSP W2. Smart Plug devtty. S0. The D Link DSP W2. Smart Plug is a wireless home automation device for monitoring and controlling electrical outlets. It isnt readily available from Amazon or Best Buy yet, but the firmware is up on D Links web site. The D Link DSP W2. TL DR, the DSP W2. AC outlet. The DSP W2. Linux based device DSP W2. Firmware Analysis. Chapter 1 Introduction What is wview wview is a collection of linuxunix daemons which interface with a supported weather station to retrieve archive records if. The Theydon Bois Village Association is NE attributed to mix masts 5,000, which is soon kindly controlled along with a ways 1,000 download from the Theydon Bois. CVE version 20061101 and Candidates as of 20171125 Candidates must be reviewed and accepted by the CVE Editorial Board before they can be added to the official CVE. After unpacking and examining the contents of the file system, I found that the smart plug doesnt have a normal web based interface you are expected to configure it using D Links Androidi. OS app. The apps however, appear to use the Home Network Administration Protocol HNAP to talk to the smart plug. Being a SOAP based protocol, HNAP is served up by a lighttpd server running on the smart plug, and the following excerpt from the lighttpd configuration files shows that HNAP requests are passed off to the wwwmycgi. HNAP1 wwwmycgi. HNAP1 wwwmycgi. While HNAP is an authenticated protocol, some HNAP actions specifically the Get. Device. Settings action do not require authentication XML Output from the Get. Device. Settings Action. Get. Device. Settings only provides a list of supported actions and isnt of much use by itself, but this does mean that mycgi. HNAP request data is handled by the dohnap function in mycgi. Since HNAP actions are sent as HTTP POST requests, dohnap first processes the Content Length header specified in the POST request Converting the Content Length String to an Integer. Then, naturally, it reads contentlength bytes into a fixed size stack buffer fgetc Read Loop. The following C code is perhaps a bit clearer. CONTENTLENGTH. From the memset it is obvious that the postdatabuf stack buffer is only intended to hold up to 5. Since the Content Length header is trusted blindly, POSTing more than 5. Overflow ra with 0x. Dx. 10. 00. 02. 0 print Ax. HNAP1. ra Overwritten With 0x. Whats more, because the POST data is read into the buffer with an fgetc loop, there are no bad bytes even NULL bytes are allowed. Thats nice, because at 0x. CAC in mycgi. cgi there is this little bit of code that loads a. We just need to overwrite the saved return address with 0x. CAC and put whatever command we want to run onto the stack at offset 0x. D 1. 00. 00. 20 Fill up the stack buffer. Cx. AC Overwrite the return address on the stack. Microsoft Access Real Estate Database Template'>Microsoft Access Real Estate Database Template. E 0x. 28 Stack filler. Command to execute. NULL terminate the command string. Requesthttp 1. HNAP1, buf. Even better, the stdout of any command we execute is returned in the servers response. Jan 1. 4 1. 4 1. May 9 1. Sep 3 2. 01. 0 etc. Jan 1. 4 1. 4 1. Jan 1. May 9 1. 6 0. 1 linuxrc binbusybox. Nov 1. 1 2. 00. 8 lostfound. May 9 1. 5 4. 4 mnt. Jan 1. 4 1. 4 1. Nov 1. May 9 1. 7 4. 9 root. Jan 1. 4 1. 4 1. May 1. Jan 1. 4 1. 4 1. May 9 1. Jan 1. 4 1. 4 1. May 9 1. We can dump configuration settings and admin creds. Or start up a telnet server to get a proper root shell. Trying 1. 92. 1. 68. Connected to 1. 92. Escape character is. Busy. Box v. 1. 0. Built in shell ash. Enter help for a list of built in commands. After reversing a bit more of mycgi. I found that all you need to do to turn the wall outlet on and off is execute varsbinrelay. Turns outlet on. varsbinrelay 0 Turns outlet off. Xcom Enemy Unknown Torrent Pc here. You can run a little script on the smart plug to play blinkenlights. OOK. if OOK eq 1. Controlling a wall outlet can have more serious implications however, as exemplified the following D Link advertisement A Rather Misleading D Link Advertisement. While the smart plug may be able detect overheating, I suspect that it can only detect if the smart plug itself is overheating it has no way to monitor the actual temperature of any devices plugged into the wall outlet. So, if youve left a space heater plugged in to the outlet and some nefarious person surreptitiously turns the outlet back on, youre in for a bad day. Its unclear if the smart plug attempts to make itself remotely accessible using UPn. P port forwarding rules, for example, as the Android configuration app simply doesnt work. It couldnt even establish an initial connection to the smart plug, although my laptop had no problems. When it finally did, it refused to create a My. Dlink account for remote access, with the very helpful error message could not create account. Although it said it had configured the smart plug to connect to my wireless network, the smart plug did not connect to my network, and it ceased to present itself as an access point for initial configuration. With the wireless borked and no ethernet connection, I was left with no means to further communicate with it. Oh, and theres no hard reset button either. Ah well, its going in the bin anyway. I suspect that anyone else who has purchased this device hasnt been able to get it to work either, which is probably a good thing. At any rate, Id be wary of connecting such a device to either my network or my appliances. Incidentally, D Links DIR 5. L travel router is also affected by this bug, as it has a nearly identical mycgi. Po. C code for both devices can be found here.