Metasploit-framework: Netgear WNR2000v5 RCE

cc @pedrib

@wvu-r7 @thecarterb Thanks for the interest but hold on to your horses! As I say in the full disclosure post (link below), I'm already working on a msf module. The PoC is not very reliable yet as it needs some polishing and I'm currently taking care of a few corner cases.

Should be finished porting it to msf by end of next week.

http://seclists.org/fulldisclosure/2016/Dec/72

In this module, there's basically two ways to achieve RCE. One of them, that only works for LAN based attacks but is more reliable, requires knowledge of the MAC address of the router.

I can ask the user to enter this, but ideally I'd like to determine it automatically. Is there a way to achieve this in msf?

@pedrib I don't know about doing it _in_ msf, but this snippet from bettercap might work (specifically line 4: target.mac):

  def skip_address?(ip)
    target = @ctx.find_target( ip.to_s, nil )
    return false if target.nil?
    return ( target.mac.nil?? false : true )
  end

Full script from here for reference/context

@pedrib: There really isn't a good way unless you're root and can send ARP. I suppose you could consult the ARP cache as a normal user, but how would you do that portably short of shelling out? I actually have this exact problem in a module I'm writing.

As a minor aside, every Kali linux user or Metasploit Pro user is root already when running Metasploit by default. You can also capture on Linux via privsep (see how wireshark does it), or by modifying bpf device rules on OS X and others. Maybe we should look at building a privsep probe capability for non-root Metasploit users. I _think_ most meterpreter sessions can get ARP entries too.

@bcook-r7 non-Kali users will never run msf as root - I know I don't.
@wvu-r7 well, I'll keep working on other parts of the module, do you have a link for your WIP? If you find a way to do it let me know! Otherwise, I'll try to work around it in some other way.

Thanks for the feedback guys!

@pedrib: Sequestered away on a local branch. Right now, the MAC address for the router comes from an OptString. Far from fancy. :)

For completeness, I believe the advisory is here: http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability

If i'm mixing up advisories, let me know and i'll del this comment.

@h00die that's it, thanks! I'll add the link to the module references.

Given the complexity of this exploit, I am going to split it in 3 different modules:
1) exploit module for the stack overflow (this affects the WNR2000 only)
2) auxiliary module for password recovery
3) exploit module for the telnetenable attack (which affects other NETGEAR routers, not just the WNR2000 - see https://wiki.openwrt.org/toh/netgear/telnet.console)

What do you think? They're almost done, I'll submit them soon.

@pedrib: The telnetenable module is the one I've been working on. :/

@wvu-r7 have you looked at my code? I've ported it to ruby, feel free to
use it.

On Tue, 27 Dec 2016 at 01:08, wvu-r7 notifications@github.com wrote:

@pedrib https://github.com/pedrib: The telnetenable module is the one
I've been working on. :/

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/rapid7/metasploit-framework/issues/7742#issuecomment-269253713,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFEMqPaXXX8xNlrrWQn3QgOTSDMbymN3ks5rMGTvgaJpZM4LTmvU
.

@pedrib: I have not. What are you using for the crypto in telnetenable?

Feel free to use my code, I spent hours trying to work around the
difference between python and ruby crypto.
I'm using openssl and it works flawlessly, check the telnetenable function
in https://github.com/pedrib/PoC/blob/master/exploits/netgearPwn.rb

On Tue, 27 Dec 2016 at 01:12, wvu-r7 notifications@github.com wrote:

@pedrib https://github.com/pedrib: I have not. What are you using for
the crypto in telnetenable?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/rapid7/metasploit-framework/issues/7742#issuecomment-269254012,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFEMqM2YPjW48gK2M7mopcgEmAHFBEi1ks5rMGYPgaJpZM4LTmvU
.

@pedrib: Ugh, I spent hours on that as well. Looks like we have pretty similar code, down to the use of OpenSSL, except my module's been sitting incomplete for a couple years now...

If you'll let me finish the module, I'll add you to the credits when I PR it? I'm attempting to support both TCP and UDP methods of access in one module, which may be a bit radical.

The secret is in the order of arguments you pass to openssl. Had to ask the
ruby devs to get it right.

I think my telnetenable function works flawlessly, and looking at the code
it seems all you need to make it work in older routers is to use tcp
instead of udp, all else seems the same.

Please use the code and finish it, I won't release the telnetenable module
then.

On Tue, 27 Dec 2016 at 01:22, wvu-r7 notifications@github.com wrote:

@pedrib https://github.com/pedrib: Ugh, I spent hours on that as
well. Looks like we have pretty similar code, down to the use of OpenSSL,
except my module's been sitting incomplete for a couple years now...

If you'll let me finish the module, I'll add you to the credits when I PR
it? I'm attempting to support both TCP and UDP methods of access in one
module, which may be a bit radical.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/rapid7/metasploit-framework/issues/7742#issuecomment-269254698,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFEMqBusJ3hvBuhFZ2h92MUAAzEK8Ap9ks5rMGhkgaJpZM4LTmvU
.

@pedrib: Sounds good, thanks. I'll tag you when it's PR'd.

See PR #7778