# Exploit Title:D-link wireless router DIR-600M – Cross-Site Request Forgery (CSRF) vulnerability # Google Dork:N/A # Date: 07/02/2017 # Exploit Author:Ajay S. Kulal (www.twitter.com/ajay_kulal) # Vendor Homepage:dlink.com # Software Link:N/A # Version:Hardware version: C1 Firmware version: 3.03 # Tested on:All Platforms # CVE :CVE-2017-5874 Abstract: ======= Cross-Site Request Forgery (CSRF) vulnerability in the DIR-600M wireless router enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated. Exploitation-Technique: =================== Remote Severity Rating: =================== 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C) Details: ======= An attacker who lures a DIR-600M authenticated user to browse a malicious website can exploit cross site request forgery (CSRF) to add new admin, change wifi password and to change other network settings. Proof Of Concept code: ==================== 1. Add new user with root access
2. changing wireless password