Reverse Engineering a D-Link Backdoor

user_agent_strcmp

alpha_auth_check itself is a fairly simple function. It does a few strstr’s and strcmp’s against some pointers in the http_request_t structure, then calls check_login, which actually does the authentication check. It is the final strcmp however, which proves to be the most compelling: This is performing a strcmp between the string pointer at offset 0xD0 inside the http_request_t structure and the string “xmlset_roodkcableoj28840ybtide”; if the strings match, the check_login function call is skipped and alpha_auth_check returns 1 (authentication OK).

xmlset_roodkcableoj28840ybtide” is “edit by 04882 joel backdoor” spelled backwards. Some guy, that Joel. 🙂

Reverse Engineering a D-Link Backdoor →

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.