Rapid7 Vulnerability & Exploit Database

D-Link/TRENDnet NCC Service Command Injection

Back to Search

D-Link/TRENDnet NCC Service Command Injection



This module exploits a remote command injection vulnerability on several routers. The vulnerability exists in the ncc service, while handling ping commands. This module has been tested on a DIR-626L emulated environment. Several D-Link and TRENDnet devices are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L (Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link DIR-810L (Rev B) v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A) v1.05B03, D-Link DIR-820L (Rev B) v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03 and TRENDnet TEW-731BR (Rev 2) v2.01b01


  • Peter Adkins <peter.adkins@kernelpicnic.net>
  • Tiago Caetano Henriques
  • Michael Messner <devnull@s3cur1ty.de>


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/http/multi_ncc_ping_exec
msf exploit(multi_ncc_ping_exec) > show targets
msf exploit(multi_ncc_ping_exec) > set TARGET < target-id >
msf exploit(multi_ncc_ping_exec) > show options
    ...show and set options...
msf exploit(multi_ncc_ping_exec) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security